Give TPA access to Tails infra

Assuming that (1) we'll merge auth systems at some point and (2) we'll not hire more sysadmins in the near future, I think the simplest for this is to just go through the Tails onboarding doc.

Do the following for all TPA folks that comply with TPA-RFC-18:

• Gather TPA's OpenPGP and SSH keys
• Give access to Gitolite
• Give TPA access to sysadmin-private
• Make sure everyone in TPA has users in Tails' GitLab
• Add users to the TPA group in Tails' GitLab
• Give the TPA group access to gitlab-config and password-store
• Give TPA access to the Puppet repository
• Give TPA SSH access to machines
• Ensure that access to the backup machine works (it's a masterless Puppet setup)
• Setup OOB access to all machines
  • Coloclue (chameleon, stone)
  • Tachanka! (ecours, gecko)
  • Riseup (dragon, iguana, lizard)
  • PauLLA (skink)
• Send relevant information to TPA:
  • Icingaweb2 access
  • XMPP channels → Skipped, see comment below
  • Mailing lists
  • Relevant GitLab projects and labels
  • Gitolite access
  • SSH info (including Dropbear)
• Inform other Tails folks about all this
• Decide about subscription to sysadmins@tails.net and tails-notifications@lists.puscii.nl
• Subscribe everyone to the sysadmins@ schleuder list
  • anarcat
  • lavamind
  • lelutin
• Subscribe those who are insterested to the tails-notifications@ list.
  • anarcat
• Update / cleanup the onboarding process documentation
• give TPA folks a tour of all of those accesses

Skipped items:

• Configure SSH keys for SSH access from trusted machines (lizard, iguana) → Not really needed now that we turned on SSH TCP forwarding
• Make them Schleuder "super admins" → Skipped, see comment below

Pending decision:

• Add TPA members to mailing lists (sysadmins@tails.net, weblate@tails.net, others?)

assigned to @zen

added Doing label

marked this issue as related to #41727

mentioned in issue #41721 (closed)

marked this issue as related to #41721 (closed)

changed the description

marked the checklist item Gather TPA's OpenPGP and SSH keys as completed

marked the checklist item Give access to Gitolite as completed

marked the checklist item Re-encrypt sysadmin-private to the new members (+ update the README file and send proper instructions) as completed

marked the checklist item Give TPA access to Tails' password store as completed

mentioned in commit repos@6566e103

mentioned in commit repos@29b130e4

I just did the following:

• Added a user for @lelutin in Tails' GitLab
• Added @lavamind and @lelutin to the tpa group in Tails' GitLab:
  • My understanding is that this is a "first batch" related to the current status of the "check compliance of TPA members to Tail's security policy, level B (...)" item in #41727.
  • From now on everyone in that group should also be able to onboard more folks as needed.
• Shared the gitlab-config, sysadmin-private and password-store projects with the tpa group there.
• Added the corresponding repos to tpo/tpa/repos> (repos@6566e103, repos@29b130e4)
• Re-encrypted the encrypted repos adding the keys of @anarcat, @lavamind and @lelutin.

@lelutin and @lavamind, please enable 2FA in your Tails' GitLab accounts.

After that, you should be able to checkout the repositories and decrypt the content of the encrypted ones.

You'll need SSH fingerprints:

gitlab-ssh.tails.boum.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpJ9ALSGmV/djRIFD30dVoKwx/S55qP/uFh1Xah35OFZcccUXBiE4RIgff1WKyvVXOEY8V/LBy5iw2v3i+1qY2Z/i7e3N0DeCwBDkX7vch/e0Wz74HB1nKraSpQduHio6k2oN5eIdcuAcGV/mMsLzjY9vh7CnWLOq0w4PajgGU9LArDI7LsYzXwPwIQrZ9KddgEmMlvGntRpQJ7v+F2ZrU6s1K42VB8TFkW93/l90GcjawFHWMNzHvS3nn1yoa1XiO9WL1YkFCtOVK81EQzwhYg2Up8yLYKqE1pxfWgkmbDxKn6PF9PhFJfsCrXwqkE7TKn028n85jFf4YKCpVI7EN
gitlab-ssh.tails.boum.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM4AzdtxoBR9EaIOR9yNxeQbdiNdHcqfKUtWP5d46YUer4XAzVxg3x33srMdfk2SNyYP/YllEmm7/+O3yRmBUs4=
gitlab-ssh.tails.boum.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8sdEwdRZ2w7x1kuURkE9v6unOlUgjEg0p1F4YZABqg
[git.tails.net]:3004 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+dowI9/LeunZVoj+D+oqfhcaE/6LxtJGhpGi+8nqeR+BiPYqIc5IUoe8nut2a+EUnjOPGqzx/77dYNdTcBA0aayyT+I+emc8vpNvuUBef33JUol58SM+ochnmvrDnN1xzA6phoOt/beaBP3QPmN6/Eq6HUbX73LLpP59VRx4Fb/MbDyX5akYcmg6ZZCEiI2RZUr3tX+CaYhNuD+UKv7TwOg4op92pvWc8vT22eiVewzH9sPzei9bWmEtVyg7W09akxzyBsWgO8IT/HLdNZDEUs/SY5o3MzImQIWBk7ilz8tNtIO5rCDIL8DlodfkInYbTL3EFElwhVHBaUdYL7L4h
[git.tails.net]:3004 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINx9nmilZmgqEManlRGSZy5x19s53X4fvq9Af29xe9Ep

Important note: after checking out tails/sysadmin-private, please make sure to execute the commands in the README file.

changed the description

marked the checklist item Re-encrypt sysadmin-private to the new members (+ update the README file and send proper instructions) as incomplete

marked the checklist item Give TPA access to Tails' password store as incomplete

changed the description

i noticed you added repos into myrepos, nice find! i do wonder if we want to start merging those things already though... some of those repos (gitolite-admin, in particular) feel like they might become superfluous with the merge...

perhaps we could have a separate myrepos configuration for tails at first? we have one for tpo/tpa and tpo/web already, for example...

thanks for all this work, in any case!

changed the description

i added a checklist item to give us a tour of the infra as well, just like i'll try to do with ours. :)

mentioned in commit repos@92e61bc2

marked the checklist item Give TPA access to the Puppet repository as completed

marked the checklist item Give TPA SSH access to machines as completed

changed the description

marked the checklist item Ensure that access to the backup machine works (it's a masterless Puppet setup) as completed

changed the description

marked the checklist item Coloclue (chameleon, stone) as completed

Setup OOB access to all machines

I just manually updated the keys on ColoClue and wrote to the other upstream providers to request updates.

marked the checklist item Tachanka! (ecours, gecko) as completed

changed the description

Make them Schleuder "super admins"

I will skip this step now because:

• We're using an alias (postmaster@tails.net) that points to a Schleuder list (sysadmins@tails.net), which is wrong and needs to be fixed (see https://gitlab.tails.boum.org/tails/sysadmin/-/issues/18148).
• TPA now has access to mta.chameleon and can use schleuder-cli.
• All our Schleuder lists currently have responsible admins anyway. ;D

EDIT: Also, the onboarding doc was outdated so this step should never have been here in the first place.

EDIT: fixed link to issue in Tails GitLab

changed the description

Decide about subscription to sysadmins@tails.net and tails-notifications@lists.puscii.nl

I'm opening this thread to discuss the above, and here's my opinion:

• sysadmins@tails.net:
  • This Schleuder list is important mostly because we use it for accounts in external services (eg. Google, Njalla, etc) and use it to communicate with upstream providers (Tachanka, Riseup, PauLLA, etc).
  • Other than that we get requests for GitLab accounts, occasional bug reports sent to the wrong place, and cron reports which eventually need acting upon.
  • We've been handling this list fine amongst the two of us, including during vacations.
  • I personally think we can handle this fine by now among @groente and I, but I don't oppose subscribing others if they find it important and have the bandwidth.
• tails-notifications@lists.puscii.nl: I think this is currently only used for a massive amount of Icinga2 notifications and it's not really useful for both groente and I right now so needs to be reviewed.

So from my side I think it's fine to not subscribe other TPA folks right now to any of those two lists, and if it's really needed at some point you can subscribe yourselves to sysadmins@tails.net via schleuder-cli on the mta.chameleon VM.

Thoughts?

changed the description

marked the checklist item Send relevant information to TPA: as completed

marked the checklist item Inform other Tails folks about all this as completed

changed the description

made the issue visible to everyone

marked this issue as related to #41780 (closed)

mentioned in issue #41780 (closed)

marked the checklist item Update / cleanup the onboarding process documentation as completed

changed the description

marked the checklist item Decide about subscription to sysadmins@tails.net and tails-notifications@lists.puscii.nl as completed

changed the description

marked the checklist item lelutin as completed

marked the checklist item anarcat as completed

Subscribe those who are insterested to the tails-notifications@ list.

@groente, can you please add me as an admin of tails-notifications@lists.puscii.nl? Thanks!