new-person.md

title: How to get a new Tor System Administrator (with web developer duties) on board

Note that this documentation needs work, as it overlaps with normal user management procedures, see issue 40129.

Glossary

• TSA: Tor System Administrators
• TPA: Tor Project Admins, synonymous with TSA, preferably used to disambiguate with the other TSAs
• TPI: Tor Project Inc. the company that employs Tor staff
• TPO: torproject.org, machines officially managed by TSA, often shortened as .tpo, for example. www.tpo
• torproject.net, machines in DNS but not officially managed by TSA
• a sysadmin can also be a service admin, and both can be paid work

Orienteering

• sysadmin wiki
• service list
• machines list
• key machines:
  • jump host and "general shell server": perdulce
  • IRC idling host: chives
  • Puppet: pauli
  • LDAP: alberti
  • Nagios: hetzner-hel1-01.torproject.org
  • Main mail server: eugeni
  • Master Ganeti nodes: fsn-node-01, chi-node-01
• key services:
  • Grafana: https://grafana.torproject.org - monitoring dashboard, password on admin/tor-passwords.git
  • Nagios: https://nagios.torproject.org/cgi-bin/icinga/status.cgi?allunhandledproblems legacy alert dashboard
  • GitLab: https://gitlab.torproject.org/ - issue tracking, project management, and git repository hosting
  • git: https://gitweb.torproject.org/, or git@git-rw.torproject.org over SSH - legacy git repository hosting
  • git repositories list, clone this first
  • web sites and team
  • see also the full service list
• project management
  • issue dashboards: TPA, web
  • TPA roadmap, web priorities
• key mailing lists:
  • tor-project@lists.torproject.org - Open list where anyone is welcome to watch but posting is moderated. Please favor using this when you can.
  • tor-internal@lists.torproject.org - If something truly can't include the wider community then this is the spot.
  • tor-team@lists.torproject.org - Exact same as tor-internal@ except that the list will accept email from non-members. If you need a cc when emailing a non-tor person then this is the place.
  • tor-employees@lists.torproject.org - TPI staff mailing list
  • tor-meeting@lists.torproject.org - for public meetings
  • torproject-admin@torproject.org - TPA-specific "mailing list" (not a mailing list but an alias)
  • see the list of mailing lists for a more exhaustive list
• IRC channels:
  • #tor-project - general Tor project channel
  • #tor-admin - channel for TPA specific stuff
  • #tor-www - Tor websites development channel
  • #tor-l10n - Tor localization channel
  • #tor-internal - channel for private discussions, need secret password and being added to the @tor-tpomember with GroupServ, part of the tor-internal@lists.tpo welcome email)
  • #tor-bots - where a lot of bots live
  • #tor-nagios ... except the Nagios bot, which lives here
  • #tor-meeting - where some meetings are held
  • #tor-meeting2 - fallback for the above
• meetings:
  • TPA monthly roadmap
  • TPA office hours (first day of the week, America/Eastern business hours on BBB)
  • All hands every week on Wednesday 16:00 UTC
• calendars:
  • TPI meetings: all meetings should be there
  • AFK tracker: to update when you take a vacation, leave, or holiday
• TPI stuff: see employee handbook from HR

Important documentation

1. Getting to know LDAP
2. SSH jump host configuration
3. How to edit this wiki, make sure you have a local copy of the documentation!
4. Puppet primer: adding yourself to the allow list
5. New machine creation
6. Updating status.tpo
7. Tor Websites
8. Roadmap

More advanced documentation

1. Account creation procedures
2. Password manager procedures (undocumented, see ssh://git@git-rw.torproject.org/admin/tor-passwords.git for now)
3. Adding and removing websites in the static mirror system
4. Editing DNS
5. TLS certificate operations
6. Puppet code linting and the entire Puppet operations manual
7. Backup restore procedures
8. Documentation design
9. Ganeti operations manual

The full documentation is available in the wiki and particularly from the service list.

Accounts to create

This section is specifically targeted at existing sysadmins, which should follow this checklist to create the necessary accounts on all core services. More services might be required if the new person is part of other service teams, see the service list for the exhaustive list.

The first few steps are part of the TPI onboarding process and might already have been performed.

Here's a checklist that should be copy-pasted in a ticket, for basic TPA access:

1. mailing lists (tor-internal@ and others, see list above)
2. about/people web page (new person should issue a MR against the source code and then get approved)
3. GitLab tpo/tpa group membership, "Maintainer" level
4. GitLab tpo/web group membership, "Maintainer" level
5. New LDAP account
6. Nagios access, contact should be created in ssh://git@git-rw.torproject.org/admin/tor-nagios, password in /etc/icinga/htpasswd.users directly on the server
7. Nextcloud account with groups TPI and TPA.
8. torproject-admin@ and torproject-admin-vcs@ aliases

Many of those are granted as part of the routine "core tor membership" admission process.

Other accounts required for full TPA access, those require the person to be vetted by a member of the community as they give access to everything:

1. LDAP admin access
2. puppet git repository access
3. TPA password manager access (admin/tor-passwords.git in gitolite)
4. Sunet cloud access (e.g. Message-ID: <87ee8w68ox.fsf@curie.anarc.at>)

Extra services we are not directly responsible for, but that TPA staff may administer at some point. Those are given as needed, depending on which service the new person will be "service admin" for:

1. BBB access
2. blog
3. btcpayserver
4. GitLab -admin account
5. gitolite admin
6. Nextcloud admin account
7. RT
8. schleuder
9. torproject github account

Welcome email

This email should be edited and sent to the hired candidates when they are confirmed.

First of all, congratulations and welcome to TPI (Tor Project, Inc.) and the TPA (Admin) team. Exciting times!

We're planning to do an orientation meeting Month Xth, Yh UTC, in the TPA meetings room:

https://tor.meet.coop/...

Make sure you can attend the meeting and pen it down in your calendar / agenda. If you cannot make it for some reason, please do let us know as soon as possible so we can reschedule.

Here is the agenda for the meeting:

1. How the Tor Project works.
   • non-profit based on grants + donations
   • volunteers (run relays, contribute code & documentation, ux)
   • core contributors (secretary & votes)
   • code of conduct & community council
   • twice a year face to face meeting
   • teams list
2. Stakeholders for your work:
   • TPA
   • web team
   • OpenFlows consultants
   • the rest of Tor...
3. How the TPA team works:
   • meetings
   • IRC / BBB / Signal
   • tickets / issues
4. TPA systems crash course through the new-person wiki page

You will shortly receive the following credentials, in an OpenPGP encrypted email:

• an LDAP account
• a Nextcloud account
• a Nagios account

You should also have access to the tpo/tpa and tpo/web groups in GitLab with the accounts you have used in the skills test.

You should do the following with these accesses:

1. hook your favorite calendar application with your Nextcloud account
2. configure an SSH key in LDAP
3. login to perdulce.torproject.org (aka "people.torproject") and download the known hosts, see the jump host documentation on how to partially automate this
4. if you need an IRC bouncer, login to chives.torproject.org and setup a screen/tmux session, or ask @pastly on IRC to get access to the ZNC bouncer
5. provide a merge request on about/people to add your bio and picture
6. login to Nagios and look around

You also have a lot of reading to do already. The new-person page is a good reference to get started.