Publish our puppet repository
The Puppet repository used for the Tor infrastructure is not public. We should fix that.
so concretely, the TL;DR: of what I am proposing is this:
- Use a role account (#29663)
- Use a control repository
Get rid of 3rdparty, that is:
convert everything to hiera (#30020) - this requires creating
rolesfor each machine (more or less) -- effectively done as far as this issue is concerned
site-modules/and audit for private data
move any private data into
hiera/, currently known private data:
modules/postfix/files/virtual- email addresses
modules/postfix/files/access-1-sender-rejectand related - email addresses
- sudoers configurations?
- secrets in /etc/puppet (hopefully not in git, but just in case)
publish everything but
hiera/as a new (secret) repository
- convert everything to hiera (#30020) - this requires creating
- Deploy with g10k
- Authenticate with checksums
- Deploy to branch-specific environments
- Rename the default branch "production"
- Push directly on the Puppet server
- Use local test environments
- Develop a test suite
- Hook into CI
- OpenPGP verification and web hook
This comes from the proposed solution section of the Puppet documentation, which also includes further improvements to the Puppet server setup. Note that steps 5 and later could actually be split in a separate ticket, but steps 3 and 4 are mandatory to ensure code integrity.
The actual issues that need to be resolved to close this ticket are really just 1 and 2, however: it just means we would need to push to two repositories to get our code public. So as a temporary measure, we would push the public repositories twice: once to the public git repository (ie. here) and once to the private one. Eventually, we would push directly with Puppet which, with access keys, would push public repositories here. But that's not essential to close this ticket, which is just about publishing our darn source code.
Once this is done, the final picture will look like this in
hiera/- private data.
machine -> roleassignements, secret stuff like the alias file, machine location, price and other similar metadata and details (see also legacy/trac#29816 (moved))
modules/- equivalent of the current
3rdparty/directory: fully public, reusable code that's aimed at collaboration. mostly code from the Puppet forge or our own repository if no equivalent there
site-modules/profiles/- magic sauce on top of 3rd party
modules/, already created a few
modules/profiles/for grafana and prometheus, the profiles configure official 3rd party classes with our site-specific criteria
site-modules/roles/- abstract classes that regroup a few profiles. for example
roles::monitoringcould currently include
profiles::grafanaas an implementation
site-modules/MODULE/- remaining custom modules that still need to be published (by moving in their own repository and
modules/or by replacing with an existing module in
This could all be done in the current repository, without creating a new clean history one, but it would prepare us for that final step. And that step would simply be to move
roles/ into a public repository, while keeping
hiera/ private in its own repository.