From 239772252dba4ba8d568249ac9424d8789535925 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Tue, 18 May 2021 10:34:01 -0400
Subject: [PATCH] simplify admin creation procedure

This moves a some documentation out to a better onboarding scenario,
which points to each individual page for specific procedures
---
 howto/ldap.md       | 11 +++++++++
 howto/new-person.md | 59 +++++++++++++++++++++------------------------
 2 files changed, 39 insertions(+), 31 deletions(-)

diff --git a/howto/ldap.md b/howto/ldap.md
index 1d4b4e30..9c432618 100644
--- a/howto/ldap.md
+++ b/howto/ldap.md
@@ -22,6 +22,17 @@ The rest of this document is targeted at sysadmins troubleshooting
 LDAP issues, setting up new services, or trying to understand the
 setup.
 
+## Getting to know LDAP
+
+You should have received an email like this when your LDAP account was
+created:
+
+    Subject: New ud-ldap account for <your name here>
+
+That includes information about how to configure email forwarding and
+SSH keys. You should follow those steps to configure your SSH key to
+get SSH access to servers (see [ssh-jump-host](/doc/ssh-jump-host/)).
+
 ## How to change my email forward?
 
 Send an (inline!) signed OpenPGP email to `changes@db.torproject.org`
diff --git a/howto/new-person.md b/howto/new-person.md
index 63efc620..c872db36 100644
--- a/howto/new-person.md
+++ b/howto/new-person.md
@@ -50,6 +50,19 @@ user management procedures, see [issue 40129](https://gitlab.torproject.org/tpo/
    * `#tor-meeting2` - fallback for the above
  * TPI stuff: see employee handbook from HR
 
+# Important documentation
+
+ * [Getting to know LDAP](howto/ldap#getting-to-know-ldap)
+ * [SSH jump host configuration](doc/ssh-jump-host)
+ * [Puppet primer: adding yourself to the allow list](howto/puppet#adding-an-ip-address-to-the-global-allow-list)
+
+# More advanced documentation
+
+ * [Account creation procedures](howto/create-a-new-user)
+ * Password manager procedures (undocumented, see
+   `ssh://git@git-rw.torproject.org/admin/tor-passwords.git` for now)
+ * [Puppet code linting](howto/puppet#validating-puppet-code)
+
 # Accounts to create
 
 This section is specifically targeted at *existing* sysadmins, which
@@ -59,36 +72,20 @@ part of other service teams, see the [service list](service) for the
 exhaustive list.
 
 The first few steps are part of the TPI onboarding process and might
-already have been performed:
-
- 1. tor-internal@ and other mailing lists (see list above)
-
- 2. bio and avatar on: <https://torproject.org/about/people>
-
- 3. GitLab: admin account, preferably separate from the normal account
-    (with a `-admin` suffix, e.g. `anarcat-admin`)
-
- 4. this wiki: `git@git-rw.torproject.org:project/help/wiki.git`
-
- 5. LDAP (see [/doc/accounts](/doc/accounts)), which includes SSH
-    access (see [/doc/ssh-jump-host/](/doc/ssh-jump-host/)). person will receive an
-    email that looks like:
-    
-        Subject: New ud-ldap account for <your name here>
-    
-    and includes information about how to configure email forwarding
-    and SSH keys
-
- 6. [howto/puppet](howto/puppet) git repository in `ssh://pauli.torproject.org/srv/puppet.torproject.org/git/tor-puppet`
-    
- 7. TPA password manager is in `ssh://git@git-rw.torproject.org/admin/tor-passwords.git`
-
- 8. [howto/nagios](howto/nagios) access, contact should be created in
+already have been performed.
+
+Here's a checklist that should be copy-pasted in a ticket:
+
+ 1. [ ] mailing lists (`tor-internal@` and others, see list above)
+ 2. [ ] [about/people](https://torproject.org/about/people) web page ([source code](https://gitlab.torproject.org/tpo/web/tpo/-/tree/master/content/about/people))
+ 3. [ ] GitLab `-admin` account
+ 4. [ ] GitLab `tpo/tpa` group membership
+ 5. [ ] [New LDAP account](howto/create-a-new-user)
+ 6. [ ] [puppet](howto/puppet) git repository access (how?)
+ 7. [ ] TPA password manager access (`admin/tor-passwords.git` in gitolite)
+ 8. [ ] [Nagios](howto/nagios) access, contact should be created in
     `ssh://git@git-rw.torproject.org/admin/tor-nagios`, password in
     `/etc/icinga/htpasswd.users` directly on the server
-
- 9. RT: find the password in `hosts-extra-info` in the password
-    manager, login as root and create an account member of `rt-admin`
-    
- 10. ask linus to get access for the new sysadmin in the sunet cloud
-     (e.g. `Message-ID: <87bm1gb5wk.fsf@nordberg.se>`)
+ 9. [ ] [RT](howto/rt#new-rt-admin)
+ 10. [ ] [Nextcloud](service/nextcloud) (undocumented: add to TPA group at least)
+ 10. [ ] Sunet cloud access (e.g. `Message-ID: <87bm1gb5wk.fsf@nordberg.se>`)
-- 
GitLab