Skip to content

migrate TPA's gitolite repositories to GitLab

We have decided to retire Gitolite in #41180 (closed), give the good example and migrate our repos to GitLab. This is the table established in TPA-RFC-36:

Repository data Problem Fate
account-keyring OpenPGP keyrings hooks into the static mirror system convert to GitLab CI
buildbot-conf old buildbot config? obsolete archive
dip GitLab ansible playbooks? duplicate of services/gitlab/dip? archive?
dns/auto-dns DNS zones source used by LDAP server security check OpenPGP signatures
dns/dns-helpers DNSSEC generator used on DNS master security check OpenPGP signatures
dns/domains DNS zones source used by LDAP server security check OpenPGP signatures
dns/mini-nag monitoring on DNS primary security check OpenPGP signatures
letsencrypt-domains TLS certificates generation security move to Puppet?
puppet/puppet-ganeti puppet-ganeti fork misplaced destroy
services/gettor ansible playbook for gettor obsolete archive
services/gitlab/dip-configs GitLab ansible playbooks? obsolete archive
services/gitlab/dip GitLab ansible playbooks? duplicate of dip? archive?
services/gitlab/ldapsync LDAP to GitLab script, unused obsolete archive
static-builds Jenkins static sites build scripts obsolete archive
tor-jenkins Jenkins build scripts obsolete archive
tor-nagios Icinga configuration confidentiality? abolish? see also TPA-RFC-33
tor-passwords password manager confidentiality migrate?
tor-virt libvirt VM configuration obsolete destroy
trac/TracAccountManager Trac tools obsolete archive
trac/trac-email Trac tools obsolete archive
tsa-misc miscellaneous scripts none migrate
userdir-ldap-cgi fork of DSA's repository none migrate
userdir-ldap fork of DSA's repository none migrate

Update: we don't have the free cycles to do the right thing here and we're instead going to move to GitLab only the repositories that do not require special handling, that is: repositories that are archive or migrate. Everything else will be moved to special servers while we figure out what to do with that legacy stuff.

  • account-keyring (destroy, only use the copy on alberti)
  • buildbot-conf (archive)
  • dip (archive)
  • dip-configs (archive)
  • dns/auto-dns (migrate to nevii)
  • dns/dns-helpers (migrate to nevii)
  • dns/domains (migrate to nevii)
  • dns/mini-nag (migrate to nevii)
  • letsencrypt-domains (migrate to nevii)
  • puppet/puppet-ganeti (destroy)
  • services/gettor (archive)
  • services/gitlab/dip-configs (archive)
  • services/gitlab/dip (archive?)
  • services/gitlab/ldapsync (archive)
  • static-builds (archive)
  • tor-jenkins (archive)
  • tor-nagios (move to nagios, see also TPA-RFC-33, #40755 (closed))
  • tor-passwords (move to pauli)
  • tor-virt (destroy)
  • trac/TracAccountManager (archive)
  • trac/trac-email (archive)
  • tsa-misc (migrate, renamed to fabric-tasks)
  • userdir-ldap-cgi (migrate)
  • userdir-ldap (migrate)

Other repositories gleaned around the legacy infra:

  • gitolite-admin (archive, keep private)
  • /srv/git.torproject.org/git-helpers (archived, no redirects)

The repositories that were migrated to pauli, nevii or nagios need special configuration to get notifications working again. it would also be pretty awesome if they could push to a mirror on GitLab. Finally, they need docs. So extras in the checklist for those repos:

  • documentation updates (particularly howto/tls, howto/dns is barely documented...)
  • IRC notifications (KGB?) delegate to gitlab
  • email notifications (multimail?) see gitlab#71
  • GitLab mirror (with IRC hooks, see #41574 (closed))

maybe that could be split in a separate ticket too for now, but at least we need the docs update.

Edited by anarcat
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information