remove non-tsa content

copyright.md

-<em><small>[The Tor Project](https://www.torproject.org/).</small></em>

doc.md

+<!-- update with `ls -d doc/*.md | sed 's/.md$//;s/\(.*\)/ * [\1](doc\/\1)/'` -->
+
+ * [accounts](doc/accounts)
+ * [admins](doc/admins)
+ * [bits-and-pieces](doc/bits-and-pieces)
+ * [extra](doc/extra)
+ * [hardware-requirements](doc/hardware-requirements)
+ * [how-to-get-help](doc/how-to-get-help)
+ * [naming-scheme](doc/naming-scheme)
+ * [reporting-email-problems](doc/reporting-email-problems)
+ * [services](doc/services)
+ * [ssh-jump-host](doc/ssh-jump-host)
+ * [static-sites](doc/static-sites)
+ * [svn-accounts](doc/svn-accounts)
+

tsa/doc/admins.md → doc/admins.md

@@ -2,4 +2,4 @@
 title: sys admin and service admin tasks
 ---
 
-Moved to [tsa/policy/tpa-rfc-2-support](tsa/policy/tpa-rfc-2-support#service-admins).
+Moved to [policy/tpa-rfc-2-support](policy/tpa-rfc-2-support#service-admins).

tsa/doc/bits-and-pieces.md → doc/bits-and-pieces.md

@@ -49,4 +49,4 @@ being expanded a bit to deserve their own page.
 
 ## Puppet
 
-See [tsa/howto/puppet](tsa/howto/puppet).
+See [howto/puppet](howto/puppet).

tsa/doc/extra.md → doc/extra.md

@@ -9,4 +9,4 @@ Extra is used to host images that can be linked in blog posts and the like. The
 link images from your own computer or people.tpo.
 
 Extra is used like other static sites within tpo.
-[Learn how to write to extra](tsa/doc/static-sites)
+[Learn how to write to extra](doc/static-sites)

tsa/doc/hardware-requirements.md → doc/hardware-requirements.md

@@ -13,7 +13,7 @@ please see the [donation site][].
 [donation site]: https://donate.torproject.org/
 
 This list is not final, and if you have questions, please [contact
-us](tsa/doc/how-to-get-help).
+us](doc/how-to-get-help).
 
 Must have:
 

doc/how-to-get-help.md

+How to get help
+===============
+
+This policy was moved to [the how-to-get-help policy](policy/tpa-rfc-2-support#how-to-get-help).

tsa/doc/naming-scheme.md → doc/naming-scheme.md

@@ -15,13 +15,13 @@ but they should eventually point to one of those, generally
 All TPA-managed machines and services on those machines should be
 under `torproject.org`. The naming scheme of the individual machines
 is detailed below. This is managed by TPA directly through
-[tsa/howto/dns](tsa/howto/dns).
+[howto/dns](howto/dns).
 
 External services and machines *can* be hosted under
 `torproject.net`. In that case, the only association is a `CNAME` or
 `A` record pointing to the other machine. To get such a record,
 contact TPA using the normal communication channels detailed in
-[tsa/doc/how-to-get-help](tsa/doc/how-to-get-help).
+[doc/how-to-get-help](doc/how-to-get-help).
 
 Machine naming scheme
 =====================
@@ -84,13 +84,13 @@ Network naming
 
 Networks also have names. The network names are used in reverse DNS to
 designate network, gateway and broadcast addresses, but also in
-[tsa/howto/ganeti](tsa/howto/ganeti), where networks are managed automatically for virtual
+[howto/ganeti](howto/ganeti), where networks are managed automatically for virtual
 machines.
 
 Future networks should be named `FUN-LOCNN-ID` (example
 `gnt-fsn13-02`) where:
 
- * `FUN` is the function (e.g. `gnt` for [tsa/howto/ganeti](tsa/howto/ganeti))
+ * `FUN` is the function (e.g. `gnt` for [howto/ganeti](howto/ganeti))
  * `LOCNN` is the location (e.g. `fsn13` for Falkenstein)
  * `ID` is a two-character number, padded with zero, starting from
    one, to distinguish multiple instances at the same

tsa/doc/reporting-email-problems.md → doc/reporting-email-problems.md

@@ -29,4 +29,4 @@ If you can't send a copy of the original message for privacy reasons,
 at least include the headers of the email.
 
 Send us the message using the regular methods, as appropriate, see
-[tsa/doc/how-to-get-help](tsa/doc/how-to-get-help) for details.
+[doc/how-to-get-help](doc/how-to-get-help) for details.

tsa/doc/services.md → doc/services.md

@@ -5,7 +5,7 @@ title: Running non-root services
 Service on TPO machines are often run as regular users, from normal
 sessions, instead of the usual `/etc/init.d` or `systemd`
 configuration provided by Debian packages. This is part of our
-[service vs system admin distinction](tsa/doc/admins).
+[service vs system admin distinction](doc/admins).
 
 This page aims at documenting how such services are started and
 managed. There are many ways this can be done: many services have been

tsa/doc/static-sites.md → doc/static-sites.md

@@ -13,7 +13,7 @@ too, like extra.tp.o, dist.tp.o, and more.
 How do you edit one of these websites? Let's say you want to edit `extra`.
 
 * First you ssh in to `staticiforme` (using an [ssh jump
-  host](tsa/doc/ssh-jump-host) if needed)
+  host](doc/ssh-jump-host) if needed)
 
 * Then you make your edits as desired to
   `/srv/extra-master.torproject.org/htdocs/`
@@ -43,4 +43,4 @@ How does this work?
 ===================
 
 If you're a sysadmin and wondering how that stuff work or do anything
-back there, look at [tsa/howto/static-component](tsa/howto/static-component).
+back there, look at [howto/static-component](howto/static-component).

howto.md

+<!-- update with `ls -d howto/*.md | sed 's/.md$//;s/\(.*\)/ * [\1](howto\/\1)/'` -->
+
+ * [backup](howto/backup)
+ * [build_and_upload_debs](howto/build_and_upload_debs)
+ * [cache](howto/cache)
+ * [conference](howto/conference)
+ * [create-a-new-user](howto/create-a-new-user)
+ * [cumin](howto/cumin)
+ * [dns](howto/dns)
+ * [drbd](howto/drbd)
+ * [fabric](howto/fabric)
+ * [ganeti](howto/ganeti)
+ * [git](howto/git)
+ * [gitlab](howto/gitlab)
+ * [gitlab](howto/gitlab)
+ * [grafana](howto/grafana)
+ * [incident-response](howto/incident-response)
+ * [ipsec](howto/ipsec)
+ * [irc](howto/irc)
+ * [kvm](howto/kvm)
+ * [ldap](howto/ldap)
+ * [letsencrypt](howto/letsencrypt)
+ * [logging](howto/logging)
+ * [lvm](howto/lvm)
+ * [nagios](howto/nagios)
+ * [new-machine](howto/new-machine)
+ * [new-machine-hetzner-cloud](howto/new-machine-hetzner-cloud)
+ * [new-machine-hetzner-robot](howto/new-machine-hetzner-robot)
+ * [new-machine-mandos](howto/new-machine-mandos)
+ * [new-machine](howto/new-machine)
+ * [new-person](howto/new-person)
+ * [openstack](howto/openstack)
+ * [postgresql](howto/postgresql)
+ * [prometheus](howto/prometheus)
+ * [puppet](howto/puppet)
+ * [raid](howto/raid)
+ * [retire-a-host](howto/retire-a-host)
+ * [retire-a-user](howto/retire-a-user)
+ * [rt](howto/rt)
+ * [static-component](howto/static-component)
+ * [submission](howto/submission)
+ * [svn](howto/svn)
+ * [template](howto/template)
+ * [tls](howto/tls)
+ * [trac](howto/trac)
+ * [upgrades](howto/upgrades)
+ * [upgrades](howto/upgrades)
+ * [wkd](howto/wkd)
+

tsa/howto/backup.md → howto/backup.md

@@ -441,7 +441,7 @@ director.
     no non-idle 'postgres: bacula bacula' processes and it doesn't
     have any open tcp connections?`
 
- 4. create a [tsa/howto/new-machine](tsa/howto/new-machine) run [tsa/howto/Puppet](tsa/howto/Puppet) with the
+ 4. create a [howto/new-machine](howto/new-machine) run [howto/Puppet](howto/Puppet) with the
     `roles::backup::director` class applied to the node, say in
     `hiera/nodes/bacula-director-01.yaml`:
 
@@ -474,7 +474,7 @@ director.
     configured by hand.
 
     TODO: Do consider deploying it with Puppet, as discussed in
-    [tsa/howto/postgresql](tsa/howto/postgresql).
+    [howto/postgresql](howto/postgresql).
 
  6. Install the right version of PostgreSQL.
  
@@ -495,12 +495,12 @@ director.
 
  7. Once the base backup from step one is completed (or if there is no
     old director left), restore the cluster on the new host, see the
-    "Indirect restore procedure" in [tsa/howto/postgresql](tsa/howto/postgresql)
+    "Indirect restore procedure" in [howto/postgresql](howto/postgresql)
 
  8. You will also need to restore the file
     `/etc/dsa/bacula-reader-database` from backups (see "Getting files
     without a director", below), as that file is not (currently)
-    managed through [tsa/howto/puppet](tsa/howto/puppet) (TODO). Alternatively, that file can be
+    managed through [howto/puppet](howto/puppet) (TODO). Alternatively, that file can be
     recreated by hand, using a syntax like this:
 
         user=bacula-dictyotum-reader password=X dbname=bacula host=localhost
@@ -524,7 +524,7 @@ director.
  10. copy over the `pg_hba.conf` and `postgresql.conf` (now
      `conf.d/tor.conf`) from the previous director cluster
      configuration (e.g. `/var/lib/postgresql/9.6/main`) to the new
-     one (TODO: put in [tsa/howto/puppet](tsa/howto/puppet)). Make sure that:
+     one (TODO: put in [howto/puppet](howto/puppet)). Make sure that:
      
      * the cluster name (e.g. `main` or `bacula`) is correct in the
        `archive_command1`
@@ -577,7 +577,7 @@ director.
     
          bacula::client::director_server: 'bacula-director-01.torproject.org'
 
- 14. run [tsa/howto/puppet](tsa/howto/puppet) everywhere (or wait for it to run):
+ 14. run [howto/puppet](howto/puppet) everywhere (or wait for it to run):
  
          cumin -b 5 -p 0 -o txt '*' 'puppet agent -t'
 
@@ -605,7 +605,7 @@ director.
 
 The new scheduler and director should now have completely taken over
 the new one, and backups should resume. The old server can now be
-[decommissioned](tsa/howto/retire-a-host), if it's still around, when you feel
+[decommissioned](howto/retire-a-host), if it's still around, when you feel
 comfortable the new setup is working.
 
 TODO: `15:19:55 <weasel> and once that's up and running, it'd probably be smart to upgrade it to 11.  pg_upgradecluster -m upgrade --link`
@@ -684,7 +684,7 @@ put their names into a file such as `include` and call bextract with `-i`:
 Restore PostgreSQL databases
 ----------------------------
 
-See [tsa/howto/postgresql](tsa/howto/postgresql) for restore instructions on PostgreSQL databases.
+See [howto/postgresql](howto/postgresql) for restore instructions on PostgreSQL databases.
 
 Restore MySQL databases
 -----------------------
@@ -702,13 +702,13 @@ Load each database dump:
 Restore LDAP databases
 ----------------------
 
-See [tsa/howto/ldap](tsa/howto/ldap) for LDAP-specific procedures.
+See [howto/ldap](howto/ldap) for LDAP-specific procedures.
 
 
 Monitoring warnings
 -------------------
 
-Hint: see also the [tsa/howto/postgresql](tsa/howto/postgresql) documentation for the backup
+Hint: see also the [howto/postgresql](howto/postgresql) documentation for the backup
 procedures specific to that database.
 
 If a job is behaving strangely, you can inspect its job log to see
@@ -819,7 +819,7 @@ everywhere apart from a few rare exceptions (currently only CiviCRM)
 and therefore use postgres-specific configurations to do backups of
 all our servers.
 
-See [tsa/howto/postgresql](tsa/howto/postgresql) for that server's specific backup/restore
+See [howto/postgresql](howto/postgresql) for that server's specific backup/restore
 instructions.
 
 ## MySQL backup system

tsa/howto/cache.md → howto/cache.md

@@ -7,7 +7,7 @@ web server.
 # Tutorial
 
 To inspect the current cache hit ratio, head over to the [cache health
-dashboard](https://grafana.torproject.org/d/p21-cvJWk/cache-health) in [tsa/howto/grafana](tsa/howto/grafana). It should be at least 75% and generally
+dashboard](https://grafana.torproject.org/d/p21-cvJWk/cache-health) in [howto/grafana](howto/grafana). It should be at least 75% and generally
 over or close to 90%.
 
 # How-to
@@ -50,7 +50,7 @@ then hit `;` to enter the SQL query mode and issue this query:
 
     SELECT count(*), upstream_cache_status FROM logline WHERE status_code < 300 GROUP BY upstream_cache_status;
 
-See also [tsa/howto/logging](tsa/howto/logging) for more information about lnav.
+See also [howto/logging](howto/logging) for more information about lnav.
 
 ## Pager playbook
 
@@ -98,13 +98,13 @@ geographically distinct areas that run a webserver acting as a
 [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy). In our case, we run the [Nginx webserver](https://nginx.org/) with
 the [proxy module](https://nginx.org/en/docs/http/ngx_http_proxy_module.html) for the <https://blog.torproject.org/> website
 (and eventually others, see [ticket #32462](https://bugs.torproject.org/32462)). One server is in the
-[tsa/howto/ganeti](tsa/howto/ganeti) cluster, and another is a VM in the Hetzner Cloud
+[howto/ganeti](howto/ganeti) cluster, and another is a VM in the Hetzner Cloud
 (2.50EUR/mth).
 
 DNS for the site points to `cache.torproject.org`, an alias for the
 caching servers, which are currently two: `cache01.torproject.org`
 [[sic](https://en.wikipedia.org/wiki/Sic)] and `cache-02`. An HTTPS certificate for the site was
-issued through [tsa/howto/letsencrypt](tsa/howto/letsencrypt). Like the Nginx configuration, the
+issued through [howto/letsencrypt](howto/letsencrypt). Like the Nginx configuration, the
 certificate is deployed by Puppet in the `roles::cache` class.
 
 When a user hits the cache server, content is served from the cache
@@ -120,7 +120,7 @@ Requests to the cache are logged to the disk in
 `/var/log/nginx/ssl.$hostname.access.log`, with IP address and user
 agent removed. Then [mtail](https://github.com/google/mtail) parses those log files and increments
 various counters and exposes those as metrics that are then scraped by
-[tsa/howto/prometheus](tsa/howto/prometheus). We use [tsa/howto/grafana](tsa/howto/grafana) to display that hit ratio which, at
+[howto/prometheus](howto/prometheus). We use [howto/grafana](howto/grafana) to display that hit ratio which, at
 the time of writing, is about 88% for the blog.
 
 ## Puppet architecture
@@ -380,7 +380,7 @@ ranging from 3EUR/mth to 30EUR/mth depending on the VPS size (between
 Dedicated servers start at 34EUR/mth (`EX42`, 64GB ram 2x4TB HDD) for
 unlimited gigabit.
 
-We first go with a virtual machine in the [tsa/howto/ganeti](tsa/howto/ganeti) cluster and also
+We first go with a virtual machine in the [howto/ganeti](howto/ganeti) cluster and also
 a VM in Hetzner Cloud (2.50EUR/mth).
 
 ## Proposed Solution

tsa/howto/conference.md → howto/conference.md

@@ -7,7 +7,7 @@ Jitsi, or Big Blue Button.
 
 [Merriam-Webster]: https://www.merriam-webster.com/dictionary/conference
 
-While [tsa/howto/irc](tsa/howto/irc) can also be used to hold a meeting or conference, it's
+While [howto/irc](howto/irc) can also be used to hold a meeting or conference, it's
 considered out of scope here.
 
 [[_TOC_]]

tsa/howto/create-a-new-user.md → howto/create-a-new-user.md

 [[_TOC_]]
 
 This document explains how to create new shell (and email) accounts.
-See also [tsa/doc/accounts](tsa/doc/accounts) to evaluate new account requests.
+See also [doc/accounts](doc/accounts) to evaluate new account requests.
 
 # Configuration
 
@@ -22,7 +22,7 @@ being. If this is for a machine or another automated thing, create a
 role account (see below).
 
 To create a new user, specific information need to be provided by the
-requestee, as detailed in [tsa/doc/accounts](tsa/doc/accounts).
+requestee, as detailed in [doc/accounts](doc/accounts).
 
 The short version is:
 
@@ -49,7 +49,7 @@ For example, your laptop.
   1. verify the OpenPGP key provided
 
      It should be signed by a trusted key in the keyring or in a
-     message signed by a trusted key. See [tsa/doc/accounts](tsa/doc/accounts) when
+     message signed by a trusted key. See [doc/accounts](doc/accounts) when
      unsure.
 
   2. add pgp key to the `account-keyring` repository:
@@ -174,7 +174,7 @@ Here's how to create a role account:
         }
 
 Sometimes a role account is made to start services, see the
-[tsa/doc/services](tsa/doc/services) page for instructions on how to do that.
+[doc/services](doc/services) page for instructions on how to do that.
 
 # Sudo configuration