diff --git a/tsa/old.mdwn b/tsa/old.mdwn
new file mode 100644
index 0000000000000000000000000000000000000000..b6927bf5b87f74b2f7df28698757e2372e2655d4
--- /dev/null
+++ b/tsa/old.mdwn
@@ -0,0 +1,3 @@
+This section is all old documentation imported from alberti.
+
+[[!map pages="tsa/old/*"]]
diff --git a/tsa/old/backuppc b/tsa/old/backuppc
new file mode 100644
index 0000000000000000000000000000000000000000..d1c8518362f056ef765def2871df8b13147c7d76
--- /dev/null
+++ b/tsa/old/backuppc
@@ -0,0 +1,10 @@
+
+on serra:
+
+in /etc/backuppc:
+
+- edit hosts, add the host in question
+- create a file called $host.pl,
+ . include the common file,
+ . list shares to be backed up
+ (use an existing file as template)
diff --git a/tsa/old/nagios-client b/tsa/old/nagios-client
new file mode 100644
index 0000000000000000000000000000000000000000..90ccc7fbfe4b40a25ed6473b66a0ba5ee5cf9037
--- /dev/null
+++ b/tsa/old/nagios-client
@@ -0,0 +1,16 @@
+
+sudo apt-get update &&
+sudo apt-get install tor-nagios-checks &&
+sudo sed -i -e 's/^#DAEMON/DAEMON/' /etc/default/nagios-nrpe-server &&
+sudo env -i /etc/init.d/nagios-nrpe-server restart &&
+if [ -e '/etc/firehol/firehol.conf' ] ; then
+ echo 'You might want to add these to /etc/firehol/firehol.conf:'
+ echo
+ cat << EOF
+server custom monit tcp/4949 default accept src 38.229.70.32
+server custom nrpe tcp/5666 default accept src 38.229.70.32
+server ntp accept src 38.229.70.32
+server icmp accept src 38.229.70.32
+EOF
+fi
+
diff --git a/tsa/old/new-kvm-virsh-vm b/tsa/old/new-kvm-virsh-vm
new file mode 100755
index 0000000000000000000000000000000000000000..8bd53a807997cd1e04dc20050b674a0e8a96d0e4
--- /dev/null
+++ b/tsa/old/new-kvm-virsh-vm
@@ -0,0 +1,230 @@
+#!/bin/bash
+
+# RUN ON moly
+#############
+
+set -e
+set -u
+
+VG=vg0
+SUITE=wheezy
+MIRROR=http://ftp.us.debian.org/debian
+#SPONSOR="xx"
+
+check_installed() {
+ local p
+ for p in "$@"; do
+ if ! dpkg -l "$p" 2>/dev/null | grep -q '^ii'; then
+ echo >&2 "Error: package $p not installed:"
+ echo >&2 " apt-get install $*"
+ exit 1
+ fi
+ done
+}
+get_sshkey_fprs() {
+ local f
+ for f in etc/ssh/ssh_host*_key.pub; do
+ echo -n " "
+ ssh-keygen -l -f "$f"
+ done
+}
+cleanup() {
+ set +x
+ if [ -n "$disk" ]; then
+ echo "Maybe:"
+ echo "lvremove $disk"
+ fi
+ echo
+ if [ -n "${target:-}" ] && [ -e "$target" ]; then
+ cd /
+ if [ "$(stat -f / -c %i)" != "$(stat -f "$target" -c %i)" ]; then
+ umount "$target"
+ fi
+ rmdir "$target"
+ fi
+
+ if [ -n "${part1:-}" ]; then
+ kpartx -d -p -p -v "$disk"
+ fi
+}
+check_installed debootstrap debian-archive-keyring kpartx ipv6calc
+
+echo -n "New VM's name: "
+if [ -n "${1:-}" ]; then echo "$1"; guest="$1"; shift; else read guest; fi
+echo
+echo -n "Disk size: [8g]"
+if [ -n "${1:-}" ]; then echo "$1"; disksize="$1"; shift; else read disksize; fi
+disksize=${disksize:-8g}
+
+trap cleanup EXIT
+
+LV="$guest"
+lvcreate -L "$disksize" -n "$LV" "$VG"
+
+disk="/dev/mapper/$VG-$(echo $guest | sed -e 's/-/--/')"
+target="/mnt/target-$guest"
+
+if ! [ -e "$disk" ]; then
+ echo >&2 "Error: Disk $disk does not exist."
+ exit 1
+fi
+if [ -e "$target" ]; then
+ echo >&2 "Error: Directory $target already exists."
+ exit 1
+fi
+
+if [ "$(head -c 65536 "$disk" | sha1sum | awk '{print $1}')" != "1adc95bebe9eea8c112d40cd04ab7a8d75c4f961" ]; then
+ echo -n "Warning: Disk appears to be not be empty. Continue anyway? [y/N] "
+ read ans
+ [ "$ans" = "y" ] || exit 0
+fi
+
+echo -n "ipaddr: "
+if [ -n "${1:-}" ]; then echo "$1"; ipaddr="$1"; shift; else read ipaddr; fi
+netmask=255.255.255.192
+gateway=38.229.72.1
+ip6addr=2620:0:6b0:b:1a1a::${ipaddr}
+ip6gateway=2620:0:6b0:b::1
+
+set -x
+
+if [ -e "$disk-part1" ]; then
+ # we already had a partition table and udev/kpartx got it at boot time
+ kpartx -v -d -p -part $disk
+fi
+echo '2048,,L,*' | sfdisk -u S --Linux "$disk"
+kpartx -v -p -p -a "$disk"
+part1="${disk}-p1"
+mkfs.ext4 "$part1"
+
+mkdir "$target"
+mount "$part1" "$target"
+cd "$target"
+
+debootstrap --variant=minbase --keyring=/usr/share/keyrings/debian-archive-keyring.gpg "$SUITE" . "$MIRROR"
+
+### Set up swap and fstab
+dd if=/dev/zero of=swapfile bs=1024k count=512
+chmod 0 swapfile
+mkswap ./swapfile
+
+uuidroot=$(blkid -s UUID -o value ${part1}) &&
+cat > etc/fstab << EOF
+UUID=$uuidroot / ext4 errors=remount-ro 0 1
+/swapfile none swap sw 0 0
+EOF
+echo 'RAMTMP=yes' >> etc/default/tmpfs
+
+### Set up basic networking stuff
+echo "$guest" > etc/hostname
+cat > etc/hosts << EOF
+127.0.0.1 localhost
+
+# The following lines are desirable for IPv6 capable hosts
+::1 localhost ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+EOF
+rm -fv etc/udev/rules.d/70-persistent-*
+mkdir -p etc/udev/rules.d/
+touch etc/udev/rules.d/75-persistent-net-generator.rules
+
+cat > etc/network/interfaces << EOF
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+ address $ipaddr
+ netmask $netmask
+ up ip route add $gateway/32 dev \$IFACE
+ up ip route add default via $gateway dev \$IFACE
+ down ip route del default via $gateway dev \$IFACE
+ down ip route del $gateway/32 dev \$IFACE
+iface eth0 inet6 static
+ address $ip6addr
+ gateway $ip6gateway
+ netmask 64
+ accept_ra 0
+EOF
+
+cat > etc/resolv.conf << EOF
+nameserver 8.8.8.8
+search torproject.org
+EOF
+
+### A couple packages
+mv etc/apt/sources.list etc/apt/sources.list.d/debian.list
+chroot . apt-get update
+echo "Apt::Install-Recommends 0;" > etc/apt/apt.conf.d/local-recommends
+chroot . apt-get install -y locales-all net-tools iproute ifupdown dialog vim netbase udev psmisc usbutils pciutils
+
+### Set up kernel and bootloader
+chroot . apt-get install -y linux-image-amd64
+DEBIAN_FRONTEND=noninteractive chroot . apt-get install -y grub2
+
+! [ -e dev/vda ]
+! [ -e dev/vda1 ]
+cp -av `readlink -f "$disk"` dev/new-root
+cp -av `readlink -f "$part1"` dev/new-root1
+chroot . grub-install --modules=part_msdos /dev/new-root
+rm -v dev/new-root*
+
+cp -av `readlink -f "$disk"` dev/vda
+cp -av `readlink -f "$part1"` dev/vda1
+rm boot/grub/device.map
+chroot . update-grub
+rm -v dev/vda*
+
+rootpw="$(head -c 12 /dev/urandom | base64)"
+echo "root:$rootpw" | chroot . chpasswd
+
+### install ssh
+chroot . apt-get install -y ssh
+sed -i -e "s/`hostname`\$/$guest/" etc/ssh/ssh_host*_key.pub
+sshkeys="$(get_sshkey_fprs)"
+rsahostkey="$(cat etc/ssh/ssh_host_rsa_key.pub)"
+
+### clean up
+trap - EXIT
+cleanup
+
+
+echo "$guest's root password is $rootpw"
+echo "SSH host key fingerprints are:"
+echo "$sshkeys"
+echo "IP addresses:"
+echo " $ipaddr"
+echo " $ip6addr"
+
+echo
+echo "ud-ldap ldpavi snippet:"
+cat << EOF
+add host=$guest,ou=hosts,dc=torproject,dc=org
+host: $guest
+hostname: $guest.torproject.org
+objectClass: top
+objectClass: debianServer
+l: Germany
+distribution: Debian GNU/Linux
+access: restricted
+admin: torproject-admin@torproject.org
+architecture: amd64
+sshRSAHostKey: $rsahostkey
+ipHostNumber: $ipaddr
+ipHostNumber: `ipv6calc --in ipv6addr --out ipv6addr $ip6addr`
+mXRecord: 0 INCOMING-MX
+physicalHost: `hostname -f`
+description: XXX
+purpose: XXX
+
+EOF
+#sponsor: $SPONSOR
+
+echo "Maybe run this now: "
+echo " cd /etc/tor-virt && git pull && virsh define `hostname`/$guest.xml && virsh autostart $guest"
+echo "And then:"
+echo " virsh start $guest"
diff --git a/tsa/old/new-machine b/tsa/old/new-machine
new file mode 100644
index 0000000000000000000000000000000000000000..5af4aaba634179a08e6829fb2c02d7843986fcf0
--- /dev/null
+++ b/tsa/old/new-machine
@@ -0,0 +1,104 @@
+
+(all commands to be run as root unless otherwise noted)
+
+* set a hostname - pick an unused one from https://svn.torproject.org/svn/projects/misc-sysadmin/onion-names.txt
+
+* sane base setup
+ cat /dev/null > /etc/default/locale
+ # cat /etc/resolv.conf # and ensure it has domain torproject.org in it.
+ grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >> /etc/resolv.conf
+ cat /etc/hosts
+
+* add to ldap on alberti
+ for i in /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_ed25519_key.pub; do
+ echo "sshRSAHostKey: `cat $i`"; done
+
+* then:
+ : on alberti : && sudo -u sshdist ud-generate && sudo -H ud-replicate
+ : on nevii : && sudo -H ud-replicate
+
+* set up puppet:
+ : on pauli : &&
+ ( puppet agent -t --environment=production || true ) &&
+ ud-replicate &&
+ sudo -H -u puppet make -C /srv/puppet.torproject.org/auto-ca install
+
+ : on new machine : &&
+ me=$(hostname -f) &&
+ [ "$me" != "${me%torproject.org}" ] &&
+ apt-get update &&
+ apt-get install -y --no-install-recommends puppet lsb-release &&
+ service puppet stop &&
+ systemctl mask puppet.service &&
+ (puppet agent -t || true ) &&
+ cd /var/lib/puppet/ssl/certificate_requests &&
+ echo sha256sum output: &&
+ echo &&
+ sha256sum $me.pem &&
+ echo &&
+ echo &&
+ cd /
+
+ : on pauli: &&
+ echo "paste sha256sum output now:" &&
+ read sha256 filename &&
+ cd /var/lib/puppet/ssl/ca/requests &&
+ ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) &&
+ echo -e "$sha256 $filename" | sha256sum -c &&
+ puppet ca sign $(basename "$filename" .pem) &&
+ echo &&
+ echo &&
+ echo &&
+ echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
+ cat /var/lib/puppet/ssl/certs/ca.pem &&
+ echo 'EOF' &&
+ echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " &&
+ cat /var/lib/puppet/ssl/ca/signed/$filename &&
+ echo 'EOF' &&
+ echo 'puppet agent --enable' &&
+ echo 'puppet agent -t --pluginsync' &&
+ echo 'puppet agent -t --pluginsync' &&
+ cd /
+
+* copy paste the thing you just created on pauli into a root shell on the new host
+
+* fix nsswitch for ud fu. (you might have to restart sshd here)
+ sed -i -e 's/^passwd:[[:space:]]\+compat$/passwd: compat db/;
+ s/^group:[[:space:]]\+compat$/group: db compat/;
+ s/^shadow:[[:space:]]\+compat$/shadow: compat db/' \
+ /etc/nsswitch.conf
+ (cd / && service ssh restart)
+
+* do more puppet runs
+ puppet agent -t
+ puppet agent -t
+
+* get rid of unneeded network services:
+
+ dpkg --purge portmap nfs-common exim4 exim4-base exim4-config exim4-daemon-light
+ userdel -r Debian-exim
+
+* fix etc/aliases
+ ( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) &&
+ sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases
+
+* set new root password, and document it
+
+* run puppet a couple times 'til it converges:
+
+ puppet agent -t ; puppet agent -t ; puppet agent -t ; puppet agent -t ;
+
+* add more software
+ apt-get install fail2ban
+
+* swap and tmp
+ grep tmpfs /etc/fstab || echo 'tmpfs /tmp tmpfs defaults 0 0' >> /etc/fstab
+
+ ! grep swap /etc/fstab &&
+ dd if=/dev/zero bs=1024k count=1024 of=/swapfile &&
+ chmod 0 /swapfile &&
+ mkswap /swapfile &&
+ echo '/swapfile none swap sw 0 0' >> /etc/fstab &&
+ swapon -a
+
+* add to nagios
diff --git a/tsa/old/new-machine-cymru b/tsa/old/new-machine-cymru
new file mode 100644
index 0000000000000000000000000000000000000000..c71a24630051113a35139913d92ca1e76134858b
--- /dev/null
+++ b/tsa/old/new-machine-cymru
@@ -0,0 +1,13 @@
+After installing from our tor iso:
+
+- set up dedicated /srv disk, if we have one
+
+- make a swapfile (either on / or on /srv if that's a dedicated FS)
+ cd /srv && [ -e lost+found ] &&
+ dd if=/dev/zero of=swapfile bs=1024k count=4096 &&
+ chmod 0 swapfile &&
+ mkswap swapfile &&
+ echo "`readlink -f swapfile` none swap sw 0 0" >> /etc/fstab &&
+ swapon -a
+
+- follow normal new-machine docs
diff --git a/tsa/old/new-machine-hetzner-cloud b/tsa/old/new-machine-hetzner-cloud
new file mode 100644
index 0000000000000000000000000000000000000000..b5c0fb5d348c6e3c01e44d8ee3f32ffe0d08bc18
--- /dev/null
+++ b/tsa/old/new-machine-hetzner-cloud
@@ -0,0 +1,99 @@
+
+ cat /dev/null > /etc/default/locale
+ echo 'domain torproject.org' >> /etc/resolv.conf
+ vi /etc/hosts
+
+* add to ldap on alberti
+ for i in /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_ed25519_key.pub; do
+ echo "sshRSAHostKey: `cat $i`"; done
+
+* then:
+ : on alberti : && sudo -u sshdist ud-generate && sudo -H ud-replicate
+ : on nevii : && sudo -H ud-replicate
+
+* set up puppet:
+ : on pauli : &&
+ ( puppet agent -t --environment=production || true ) &&
+ ud-replicate &&
+ sudo -H -u puppet make -C /srv/puppet.torproject.org/auto-ca install
+
+ : on new machine : &&
+ me=$(hostname -f) &&
+ [ "$me" != "${me%torproject.org}" ] &&
+ apt-get update &&
+ apt-get install -y --no-install-recommends puppet lsb-release &&
+ service puppet stop &&
+ systemctl mask puppet.service &&
+ (puppet agent -t || true ) &&
+ cd /var/lib/puppet/ssl/certificate_requests &&
+ echo sha256sum output: &&
+ echo &&
+ sha256sum $me.pem &&
+ echo &&
+ echo &&
+ cd /
+
+ : on pauli: &&
+ echo "paste sha256sum output now:" &&
+ read sha256 filename &&
+ cd /var/lib/puppet/ssl/ca/requests &&
+ ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) &&
+ echo -e "$sha256 $filename" | sha256sum -c &&
+ puppet ca sign $(basename "$filename" .pem) &&
+ echo &&
+ echo &&
+ echo &&
+ echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
+ cat /var/lib/puppet/ssl/certs/ca.pem &&
+ echo 'EOF' &&
+ echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " &&
+ cat /var/lib/puppet/ssl/ca/signed/$filename &&
+ echo 'EOF' &&
+ echo 'puppet agent --enable' &&
+ echo 'puppet agent -t --pluginsync' &&
+ echo 'puppet agent -t --pluginsync' &&
+ cd /
+
+* copy paste the thing you just created on pauli into a root shell on the new host
+
+* fix nsswitch for ud fu. (you might have to restart sshd here)
+ sed -i -e 's/^passwd:[[:space:]]\+compat$/passwd: compat db/;
+ s/^group:[[:space:]]\+compat$/group: db compat/;
+ s/^shadow:[[:space:]]\+compat$/shadow: compat db/' \
+ /etc/nsswitch.conf
+ (cd / && service ssh restart)
+
+* do one ud-replicate:
+ puppet agent -t
+ echo alberti.torproject.org,alberti,db.torproject.org,db,38.229.70.7,2620:0:6b0:b:1a1a:0:26e5:4806 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAW1UewATLaASMo4mJoH+L8AgN1sJUIk/87z6OdrQNL9fDseLhFSPNg1LsL2Ep1ZbE22ieERHcaS4Mm8QrX9Y2VrUmFWK3jwz3+enhZkEzq7K+YKGKhUwSu+Cr+gKD1olKnw8COsZ4v5xkLh5Or854ZNJKRB84IF99P9TZ+0l/LyJCE3RVY/wV5FyhrweGmVUQVqsi7xv815uRNWjsiBWvizZddny8xaKsNTD7guo+nN9h9gjKzv6ktj/U9nbmBsBiLs4zZj7/6rfgXK020xOp63LXz8jRnDiISgHw+ERFYlmUYs04JXVrcI21jdnhzNCpLwSwBITQLSVPEaXJqO9v root@alberti > /etc/ssh/ssh_known_hosts &&
+ ud-replicate
+
+* get rid of unneeded network services:
+
+ dpkg --purge portmap nfs-common exim4 exim4-base exim4-config exim4-daemon-light
+ userdel -r Debian-exim
+
+* fix etc/aliases
+ ( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) &&
+ sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases
+
+* set new root password, and document it
+
+* run puppet a couple times 'til it converges:
+
+ puppet agent -t ; puppet agent -t ; puppet agent -t ; puppet agent -t ;
+
+* add more software
+ apt-get install fail2ban
+
+* swap and tmp
+ grep tmpfs /etc/fstab || echo 'tmpfs /tmp tmpfs defaults 0 0' >> /etc/fstab
+
+ ! grep swap /etc/fstab &&
+ dd if=/dev/zero bs=1024k count=1024 of=/swapfile &&
+ chmod 0 /swapfile &&
+ mkswap /swapfile &&
+ echo '/swapfile none swap sw 0 0' >> /etc/fstab &&
+ swapon -a
+
+* add to nagios
diff --git a/tsa/old/new-machine-nondebian b/tsa/old/new-machine-nondebian
new file mode 100644
index 0000000000000000000000000000000000000000..8404cfa3f33115f4783ea1f54d7ca2b85e7481be
--- /dev/null
+++ b/tsa/old/new-machine-nondebian
@@ -0,0 +1,52 @@
+for fc14:
+
+11-03-08 23:11:34 <weasel> I cloned the git repo into usr/local/, added two symlinks to local/sbin,
+11-03-08 23:11:41 <weasel> copied the config file to /etc/userdir-ldap
+11-03-08 23:11:47 <weasel> modified nsswitch.conf,
+11-03-08 23:11:53 <weasel> modified the pam stuff (added mkhomedir)
+11-03-08 23:12:12 <weasel> created a symlink from /var/db/.... to ../lib/misc/foo
+11-03-08 23:12:32 <weasel> disabled selinux, so ssh can read the key files
+11-03-08 23:12:38 <weasel> update ssh config
+11-03-08 23:12:40 <weasel> fix timezone
+11-03-08 23:12:52 <weasel> and created the zsh symlink
+11-03-08 23:13:03 <weasel> I think that's it. maybe I forgot something
+
+
+
+* fix up hostname. It needs to have the fully qualified hostname in 'hostname -f'
+
+cd /usr/local && git clone https://git.torproject.org/admin/userdir-ldap.git
+
+cd /usr/local/sbin && ln -s ../ln -s ../userdir-ldap/ud-config ../userdir-ldap/ud-replicate .
+
+mkdir /etc/userdir-ldap && cd /etc/userdir-ldap && cp /usr/local/userdir-ldap/userdir-ldap.conf .
+
+echo alberti.torproject.org,alberti,db.torproject.org,db,38.229.70.7 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqFvZsXVYuzrgDO7IbBjeBO5WKk+sXmb0rRzPcSwIRTaMS4h3QdLDG1VjeNA5CUeAjTOYC0hAWZiXzfsl4u0KwNJUWRGZCclbIt6V7Tk74mM0405A+y0JP3NwUnTevcRcVxiDo8mrI85y5MXvipaWnPdGYayL09h9EeNDzBVKNZooCeKQBqkejhH69gyy4gdN9HgfMep3uOInyjr86W49pZ4n7CXoVt8QkTWtoBX/qPHK8igqX/dcYkOgCclVYRrQ1G4FbxEOGD+QzwPnCGDWCUgapFXoqh7HpG0Xfg5iDXGFcIu1JgDdr/SFJkr6hmYjW0gmkge0ihGj7GZ6onWhzQ== root@alberti > /etc/ssh/ssh_known_hosts &&
+ud-replicate
+
+maybe change chown in ud-replicate
+
+cd /var/db && ln -s ../lib/misc/group.db ../lib/misc/passwd.db ../lib/misc/shadow.db .
+
+edit /etc/nsswitch.conf to read:
+ | passwd: files db
+ | shadow: files db
+ | group: db files
+
+check if 'id weasel' works
+
+disable selinux
+
+include pam mkhomedir for ssh and su.
+
+add to sshd_config:
+AuthorizedKeysFile /etc/ssh/userkeys/%u
+AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
+
+crontab:
+cat > /etc/cron.d/ud-replicate << EOF
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+10,25,40,55 * * * * root ud-replicate
+EOF
+
+sudoers
diff --git a/tsa/old/new-machine.orig b/tsa/old/new-machine.orig
new file mode 100644
index 0000000000000000000000000000000000000000..bfcc6e9cfec68631d6fec7bd7b5837556de00e01
--- /dev/null
+++ b/tsa/old/new-machine.orig
@@ -0,0 +1,189 @@
+* set a hostname - pick an unused one from https://svn.torproject.org/svn/projects/misc-sysadmin/onion-names.txt
+* sane base setup
+ echo "Apt::Install-Recommends 0;" > /etc/apt/apt.conf.d/local-recommends &&
+ apt-get install locales-all rsync sudo zsh subversion git-core mtr-tiny ntp &&
+ cat /dev/null > /etc/default/locale
+
+* fix TZ
+ echo 'Etc/UTC' > /etc/timezone &&
+ dpkg-reconfigure tzdata -pcritical -fnoninteractive
+
+* ssh setup
+ cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub &&
+ mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root &&
+ sed -i -e 's/^HostKey.*_dsa_key/# &/;
+ s/^X11Forwarding yes/X11Forwarding no/;
+ $ a AuthorizedKeysFile /etc/ssh/userkeys/%u
+ $ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config &&
+ (cd / && env -i /etc/init.d/ssh restart)
+* re-key ssh
+ cd /etc/ssh/ && rm -f ssh_host_rsa_key ssh_host_rsa_key.pub &&
+ dpkg-reconfigure openssh-server
+
+* torproject sources list entry:
+
+sudo apt-key add - << EOF &&
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+mQENBEvgZPYBCADQeFoNmFWv156s+JPiUv6vFZb1sm3sx5g61Wel38MYgEuYEdan
+mFnULzdRc5ScCqXD9iC7vJtAFWv9xobQkpffy8uQNAL6Dom/4A4z8Ywhdt8qwZWt
+qeJQ5HSv/ollXW1jd5B+VCFaLh70PMbooitq8F5uBbVhFzvd4XxbBIWw2PzFzBbI
+0daBpEdwjrtNH/E+M+ZQLMtaYyTZ1vMx+KmP2hrWtKyK4ZLmr+/2rxmoJrFGQwmp
+uBohXRHMrekrdbHPfJHPXqj4SgpP9DRj2MPemQLRByHX6Hll6xy0GKkBhg1Em5Qr
+GCCFXIiSS/kP16f7hpyBxke859m/RXLzCHHDABEBAAG0I2RiLnRvcnByb2plY3Qu
+b3JnIGFyY2hpdmUga2V5IDIwMTAtiQE8BBMBAgAmBQJL4GT2AhsDBQkFo5qABgsJ
+CAcDAgQVAggDBBYCAwECHgECF4AACgkQwsdoQg4eEkBqFAf8DtnZo0flz0IkmKDU
+D1FBAl6SHE5HN7f57mW/0CLMSvWohSKIouSBJH4dUTM8484Z15ikSRW9urzv9dsW
+w24+9EEaxBBVJqoJIMZmvqaM452kZ/zwQR4NBIGxhSJ8UblpQ0gttMB90oVoAx9a
+2erJUD8sRwCxcwPTE3fQMJZEu6oB5jIPnQQAPOznMO19CJmnZIlzWPALFC3NPRSX
+QFEZPO9CGHzpB4UDzpoBctTpTfHot33ep1c5qaLfRkmTIdImqNe2gRykglHXHCa5
+BLU4M6In3gMIoeUFeRzbE7eTm1j7NDUG3EbQf5aguRSWMWbIGWAnZdTH5ZhzSb72
+fVoq6g==
+=dBbT
+-----END PGP PUBLIC KEY BLOCK-----
+EOF
+if ! [ -e /etc/apt/sources.list.d/db.torproject.org.list ] ; then
+ echo 'deb http://db.torproject.org/torproject-admin lenny main' | sudo tee /etc/apt/sources.list.d/db.torproject.org.list
+fi
+
+* install userdir-ldap
+ apt-get update && apt-get install userdir-ldap
+
+* fix nsswitch for ud fu. (you might have to restart sshd here)
+ sed -i -e 's/^passwd:[[:space:]]\+compat$/passwd: compat db/;
+ s/^group:[[:space:]]\+compat$/group: db compat/;
+ s/^shadow:[[:space:]]\+compat$/shadow: compat db/' \
+ /etc/nsswitch.conf
+ (cd / && env -i /etc/init.d/ssh restart)
+
+* add pam_mkhomedir to common-session:
+ grep pam_mkhomedir /etc/pam.d/common-session || \
+ echo "session optional pam_mkhomedir.so skel=/etc/skel umask=0022" >> /etc/pam.d/common-session
+
+* setup sudo
+ grep '^%adm' /etc/sudoers || echo '%adm ALL=(ALL) ALL' >> /etc/sudoers
+ grep '^%adm.*apt-get' /etc/sudoers || echo '%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean' >> /etc/sudoers
+
+* add host to ud-ldap
+ : on alberti : && sudo -u sshdist ud-generate && sudo -H ud-replicate
+
+* fix resolver
+ sed -i -e 's/search localdomain/search torproject.org/' /etc/resolv.conf
+
+* do one ud-replicate:
+ echo alberti.torproject.org,alberti,db.torproject.org,db,38.229.70.7 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqFvZsXVYuzrgDO7IbBjeBO5WKk+sXmb0rRzPcSwIRTaMS4h3QdLDG1VjeNA5CUeAjTOYC0hAWZiXzfsl4u0KwNJUWRGZCclbIt6V7Tk74mM0405A+y0JP3NwUnTevcRcVxiDo8mrI85y5MXvipaWnPdGYayL09h9EeNDzBVKNZooCeKQBqkejhH69gyy4gdN9HgfMep3uOInyjr86W49pZ4n7CXoVt8QkTWtoBX/qPHK8igqX/dcYkOgCclVYRrQ1G4FbxEOGD+QzwPnCGDWCUgapFXoqh7HpG0Xfg5iDXGFcIu1JgDdr/SFJkr6hmYjW0gmkge0ihGj7GZ6onWhzQ== root@alberti > /etc/ssh/ssh_known_hosts &&
+ ud-replicate
+
+* apply phobos' sudo defaults
+ sed -i -e '
+ /^Defaults/ a Defaults mail_badpass\
+Defaults mail_no_host\
+Defaults mail_no_perms\
+Defaults tty_tickets\
+Defaults insults\
+Defaults !lecture
+ ' /etc/sudoers
+* try to become root using sudo.
+
+* disable password auth with ssh (again: once you verified you can log in and become root using keys.)
+ #vi /etc/ssh/sshd_config
+ # | PasswordAuthentication no
+
+ if grep '^PasswordAuthentication' /etc/ssh/sshd_config; then
+ sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config;
+ else
+ sed -i -e '$ a PasswordAuthentication no' /etc/ssh/sshd_config
+ fi &&
+ (cd / && env -i /etc/init.d/ssh restart)
+
+* get rid of unneeded network services:
+
+ dpkg --purge portmap nfs-common
+
+ dpkg --purge exim4 exim4-base exim4-config exim4-daemon-light at bsd-mailx
+ userdel -r Debian-exim
+
+* install postfix
+ apt-get install postfix postfix-cdb bsd-mailx
+
+ rm /etc/mailname
+
+ cat > /etc/postfix/main.cf << 'EOF'
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+mydomain = torproject.org
+myorigin = $myhostname
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_use_tls=yes
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+alias_maps =
+ hash:/etc/aliases
+ cdb:/var/lib/misc/thishost/mail-forward
+alias_database = hash:/etc/aliases
+mydestination = $myhostname
+ localhost.$mydomain
+ localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+EOF
+
+ env -i /etc/init.d/postfix restart
+
+ sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases
+
+
+* install root admin key
+ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA2ToYPcCcP+/+E8dVlorOeeQpAauQN2rHF8LBy0BPzY9W4x0eMkPI5r5vDSN48+w9W/SELTd1ZFy7d2n6bjt06W0+78YwLeRN4wOoyiryh3yd2Kiy74Plb81RRx+Px9erh0mpMF9krnWfGyrr+q8be2ACWNHLiSUyx5PC5QmetBH+Ug7O+NpAL/grmLgdzkOEzaatrI+re1RyfwvJQ6ZC3Wc+KKUOVvB6zoRk9qegUydvx1NX5SrfDQrBzFBv6vcL0N1TESxDx8Pu6uFFsuWWBlhb3AKZKJEtLV8AqGQ007A3oK5PP/fdUvgKOcbw3bWXZKy/dgcH+httQPPt8brmXtRvNgXozsH6soegnoWA/opNVHcWwLjfk9mFMGLvY5zzX26xg9sVnBK1dI6geqGhv20oWIcIqEhmFr0HQnCIE9tMRb6jDmzymXoX2gnR2nfgpg81jLFSYm/BJYjISVrLAFy50N+4HcJ/VYTO/KBVoERfkz88LK5p2zOQNdMNSN4WIGizl6G7lQrFAZAkdk2dfaIA/PkxVXG0/Rfh+R2z94UCiAfc06FzkYRfFreThpgPWI4B/QFcBQ0MsxuQzl+ea3jRVKRGyKHpwRtjh2Ebt0YfCpyn1ZfU+enLIYJ0TmpC6HXpWiSc8qSaP6gMF0ULqZUtip1NfJiaEkUyhR5XbIU= Peter Palfrader - torproject adm key (2010-01-09)' >> /root/.ssh/authorized_keys &&
+ wc -l /root/.ssh/authorized_keys
+
+* clean away broken firewall
+ rm -f /etc/network/if-pre-up.d/iptables /etc/iptables.rules /etc//iptables.up.rules
+ for j in INPUT FORWARD OUTPUT; do iptables -P $j ACCEPT; done; iptables -F
+
+* set new root password
+
+* sane editor
+ sudo apt-get install vim && sudo update-alternatives --set editor /usr/bin/vim.basic
+
+
+* add more software
+apt-get install ferm git-core logwatch rkhunter munin-node sudo fail2ban htop etckeeper wget
+
+* configure the firewall
+* take ferm defaults, but need something for ferm here.
+
+* rkhunter
+rkhunter --update --propupd
+
+* fail2ban:
+/etc/init.d/fail2ban start
+
+* copy munin-node.conf from schmitzi to /etc/munin/
+* on new host:
+sudo /etc/init.d/munin-node restart
+* on schmitzi, add the host to /etc/munin/munin.conf
diff --git a/tsa/old/new-vm-rethem b/tsa/old/new-vm-rethem
new file mode 100644
index 0000000000000000000000000000000000000000..57524633054742bb393330f2752f0170a5276078
--- /dev/null
+++ b/tsa/old/new-vm-rethem
@@ -0,0 +1,261 @@
+= HOW I CREATED A NEW VM AT RETHEMHOSTING (CYMRU) FOR MUMBLE
+
+A quick guide for how to make VMs.
+
+18 Sep 2015
+
+== WHAT YOU WILL NEED
+
+ * Access to many git repositories
+ * Sudo access all over the place
+ * GPG key that can decrypt files in those git repositories
+ * Your ssh configuration file set up to use the appropriate
+ ProxyCommand magic to ssh into various .torproject.org hosts.
+ * Enough Unix shell skillz to be dangerous to yourself and others
+
+== THE STEPS
+
+ * Go to the approach for rethemhosting. You can find it in
+ hosts-extra-info in the tor-passwords repository.
+
+ If your browser hates you when you do this, it's possible that
+ rethemhosting still hasn't upgraded their DH parameters to
+ something non-embarrassing. Disable the DHE ciphersuites and try
+ again. Very sorry. I emailed them about it.
+
+ * Pick an onion species name:
+
+ https://en.wikipedia.org/wiki/List_of_Allium_species
+
+ (I went with "tuburosum", since I have some of that in my
+ fridge. Try not to pick something that has the first 3 characters
+ in common with some other host.)
+
+ * In the rethemhosting interface, go to the list of instances, then
+ select "add instance" (currently towards the top right.)
+
+ It will walk you through a wizard.
+
+ 1: Select ISO
+
+ 2: Select "my ISOs", then tor-debian-7.8-20150221.
+
+ (If there is something more recent than that, ask weasel if it
+ is safe to use!)
+
+ You will have only one option for hypervisor.
+
+ 3: Configure the CPU/RAM requirements as needed
+
+ 4: Select 20 GB disk, always. More disks can get added later.
+
+ 5: Is easy; nothing to do here.
+
+ 6: Select 'Tor External Dual', then make it the default, then
+ deselect the original network.
+
+ Weasel explains: "one is I think an internal network that isn't
+ routed anywhere, and the two external things are two networks
+ that are in the internet but with different address space. I
+ think the first tor external one is full."
+
+ 7: Give it a name. No group.
+
+ * Launch the VM! It will boot from a custom install CD.
+
+ * Did you think you were done? Lolololollol11ol!
+
+ * Once the VM is running, click on it in the rethem interface, and
+ go to the NICs tab. Learn the IP addresses (v4 and v6) and
+ gateways for the new VM.
+
+ * Edit the domains git repository. (It is at
+ git@git-rw.torproject.org:admin/dns/domains.)
+
+ DO NOT EDIT torproject.org!!!!!!
+
+ Instead, add the reverse-dns records as appropriate to the *.arpa files.
+
+ ipv6cal can help with ipv6 reverse fu. e.g.:
+
+ weasel@defiant:~$ ipv6calc --in ipv6addr --out revnibbles.arpa 2607:8500:5:1::5a2c
+ c.2.a.5.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.5.0.0.0.0.0.5.8.7.0.6.2.ip6.arpa.
+
+ Commit and push when you are done; magic will happen.
+
+ * Now you need to get console access to the new VM: Click the rightmost
+ icon on the details screen at the rethem cloudstack thing.
+
+ The debian installer is about to ask you for some advice:
+
+ - Tell it the IP address to use.
+ - Tell it a netmask
+ - Tell it a gateway.
+ - Tell it the hostname.
+
+ It might ask you if you want to create a swap partition. You don't.
+
+ It will ask you if you want to write the new partition map to the
+ the disk. You do.
+
+ Now it will do a debian installation! This will take a while.
+
+ * You need to add the new host to nagios.
+
+ git clone git@git-rw.torproject.org:admin/tor-nagios
+
+ cd config
+
+ edit nagios-master.cfg
+
+ Add the new host right below the most recently added host. By
+ default, you should put it in these hostgroups:
+ computers, syslog-ng-hosts, no-ntp-peer.
+
+ (Other hostgroups are documented at XXXXXXXXXXXXX.)
+
+ Run make. Did that work?
+
+ If so, run make install.
+
+ Commit and push.
+
+ * ssh into your shiny new host! (as root.)
+
+ (The root password is the one marked as "rethemhosting
+ torproject.org preseed debian-install image default root password"
+ in hosts-extra-info in tor-passwords.git. Don't worry, we'll
+ change it.)
+
+ (Use -o HostKeyAlgorithms=ssh-rsa to avoid a warning later on.)
+
+ * If you got in, detach the ISO.
+
+ It's one of the icons in the cloudstack thing. It looks like a paperclip.
+
+
+ * Get a shell on alberti, then run:
+
+
+ ldapvi -ZZ --encoding=ASCII --ldap-conf -h db.torproject.org -D uid=nickm,ou=users,dc=torproject,dc=org
+
+ You will need to use your ldap password.
+
+ Now you are editing the LDAP database!
+
+ Look for the last host= entry for a rethemhosting host in the file.
+
+ Copy that whole block to the end of the file, and replace the
+ number with the word "add". Then set the hostname correctly, and
+ update the other stuff. (like memory, ssh host key, ip addresses,
+ purpose.) drop or replace allowedGroups.
+
+ Use dpkg --print-architecture if you don't know what the architecture is.
+ (It's amd64.)
+
+ Save and quit, then say yes.
+
+
+ * Open an editor on the new host as root, and edit
+ /etc/network/interfaces. Edit it to be a copy of the one on the
+ most recently created host, except fill in the correct values for
+ this host. I got:
+
+========
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+allow-hotplug eth0
+iface eth0 inet static
+ address 154.35.132.152/28
+ gateway 154.35.132.145
+iface eth0 inet6 static
+ address 2607:8500:5:1::5a2c/64
+ gateway 2607:8500:5:1::1
+ accept_ra 0
+========
+
+ Your IP will vary.
+
+ * Edit /etc/resolv.conf and /etc/hosts so that they include the
+ proper domain. (It is probably torproject.org, not
+ rethemhosting.)
+
+ * Reboot the new host (with shutdown -r now), and make sure it comes
+ up with the right IP.
+
+ * Now you are going to read new-machine-cymru on alberti! It lives
+ in /src/db.torproject.org.
+
+ Follow its instructions _on the new host_ as root.
+
+ * You will be told to recursively follow the instructions in
+ new-machine on alberti, which lives in the same repository. Do
+ so.
+
+ Some notes:
+ - You will need to be root for nearly all of this.
+ - If something just won't work, try puppet agent -t on the
+ new host again, and give it another try.
+ - Use weasel's magical pws scripts to manage the
+ tor-passwords repository.
+
+ * On the new host, if there is an /etc/apt/sources.list.d/debian.list,
+ remove /etc/apt/sources.list, then apt-get update.
+
+ * Run one last "apt-get update && apt-get dist-upgrade && apt-get clean"
+
+ * Reboot again for good measure!
+
+ * (Unless you used -o HostKeyAlgorithms=ssh-rsa before:)
+ When you next ssh into the new host, the key will probably have
+ changed. That's because it switched from ECDSA to RSA. Don't
+ worry, but make sure you got the right one.
+
+NOW YOU HAVE A HOST!
+
+But, nobody can log into it. That's sad.
+
+I wanted to set it up so that ioerror could log in and become a new
+"tormumble" role and administer the stuff.
+
+= So here's how I made the tormumble role and stuff!
+
+ * Do the magic thing on alberti again to edit the ldap database.
+
+ Create a role account and associated group in ldap - ldapvi and
+ copy one from before, picking a free uid/gid number pair.
+
+ Add the group to the allowedGroups for the host.
+
+ Add the group to the supplemenataryGids for the users who should
+ be in it.
+
+ Then, in puppet:
+
+ /usr/sbin/visudo -f ./modules/sudo/files/sudoers
+
+ And add a line of the form:
+
+ %rolename hostname=(groupname) ALL
+
+ * Then on the host, you need to log in as the role user to create
+ their homedir and stuff. Do su - <role account> to do this, then
+ log out again.
+
+ If you couldn't log in, then the LDAP info hasn't propagated
+ yet. Run this on alberti:
+ sudo -u sshdist ud-generate
+ And this on the new host as root:
+ ud-replicate
+
+ * Move the home directory to the right place:
+
+ mkdir /srv/<roledirectoryservicewhatever>.torproject.org
+ mv /home/<roleuser> to /srv/$foo/home
+
+ , then replace the original location with a symlink
+
+ Also, chown /srv/<roledirectoryservicewhatever>.torproject.org
+ to the new <roleuser>:<rolegroup>