TPA-RFC-73: Propose a new "Migrate" action (team#41721)

- **Keep:** Services that will be kept and maintained. They are all impacted by Puppet repo/codebase merge as their building blocks will eventually be replaced (eg. web server, TLS, etc), but they'll nevertheless be kept as fundamental for the work of the Tails Team.

- **Merge:** Services that will be kept, are already provided by Tails and TPA using the same software/system, and for which keeping only depends on migration of data and, eventually, configuration.

- **Retire:** Services that will either be shutdown completely or replaced by a different implementation which either Tails or TPA already provides.

- **Migrate:** Services that are already provided by TPA with a different software/system and need to be migrated.

- **Retire:** Services that will be shutdown completely.

 [Keep]: #actions

 [Merge]: #actions

 [Migrate]: #actions

 [Retire]: #actions

### Complexity

**Constraints:**

- Blocks retirement of DNS

- Blocks migration of DNS

- Requires po4a from Bullseye

- Requires ikiwiki from https://deb.tails.boum.org (relates to the merge of the [APT repository][])

- https://gitlab.tails.boum.org/tails/tails/-/issues/18721

- https://gitlab.tails.boum.org/sysadmin-team/container-images/-/blob/main/ikiwiki/Containerfile

## Retire

## Migrate

### Backups

**Stakeholders:** TPA

**Action:** [Retire][] either Borg or Bacula

**Action:** [Migrate][] one side to either Borg or Bacula

- Experiment with Borg in Tor

- Choose either Borg or Bacula and migrate everything to one of them

**Complexity:** [Medium][]

**Constraints:** Blocks the retirement of [Monitoring](#monitoring)

**Constraints:** Blocks the migration of [Monitoring](#monitoring)

**References:**

 [Backups]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41805

### Bitcoin

**Summary:** Tails' Bitcoin wallet.

**Stakeholders:** Finances

**Action:** [Retire][], hand-over to Tor accounting

**Complexity:** [Low][]

**Constraints:** ∅

**References:**

- [Bitcoin][]

 [Bitcoin]: https://tails.net/contribute/working_together/roles/sysadmins/services/#index2h1

### Calendar

**Summary:** Only the Sysadmins calendar is left to retire.

**Stakeholders:** TPA, Tails Team

**Action:** [Retire][]

**Action:** [Migrate][] to Nextcloud

**Complexity:** [Low][]

**Stakeholders:** TPA

**Action:** [Retire][]

**Action:** [Migrate][]

- Migrate into a simpler design

- Migrate to either tor's configuration or, if impractical, use tails' powerdns as primary

**Stakeholders:** TPA

**Action:** [Retire][], in favor of Trocla

**Action:** [Migrate][] to Trocla

**Complexity:** [Medium][]

**Summary:** Custom Puppet module built on top of a 3rd-party module.

**Stakeholders:** 

**Stakeholders:** TPA

**Action:** [Retire][]

**Action:** [Migrate][]

- Migrate both codebases to puppetized nftables

**Stakeholders:** Tails Team

**Action:** [Retire][], in favor of GitLab's [Git LFS][]

**Action:** [Migrate][] to GitLab's [Git LFS][]

**Complexity:** [Low][]

**Stakeholders:** TPA, Tails Team

**Action:** [Retire][]

**Action:** [Migrate][] to GitLab

- `etcher-binary`: Obsolete (already migrated to GitLab)

- `gitlab-migration-private`: Migrate to GitLab and archive

**Stakeholders:** Tails Team

**Action:** [Retire][]

- Move to GitLab CI

**Action:** [Migrate][] to GitLab CI

**Complexity:** [High][]

**Stakeholders:** TPA

**Action:** [Retire][], in favor of [Tor's CDN][]:

**Action:** [Migrate][] to [Tor's CDN][]:

- Advantages:

  - Can help mitigate [certain risks](https://gitlab.torproject.org/tpo/tpa/tails/sysadmin/-/issues/18117)

**Stakeholders:** TPA

**Action:** [Retire][], in favor of Prometheus

**Action:** [Migrate][] to Prometheus

**Complexity:** [High][]

**Stakeholders:** TPA

**Action:** [Retire][], choose one solution and retire the other

**Action:** [Migrate][] to Tor's implementation

**Complexity:** [Medium][]

**Constraints:** Blocks the retirement of [Monitoring](#monitoring)

**Constraints:** Blocks the migration of [Monitoring](#monitoring)

**References:** 

- [`tails::profile::letsencrypt`](https://gitlab.tails.boum.org/tails/puppet-tails/-/blob/master/manifests/profile/letsencrypt.pp)

### Tor Bridge

**Summary:** Not used for dev, but rather to "give back to the community".

**Stakeholders:** Tor Users

**Action:** [Retire][]

**Complexity:** [Low][]

**Constraints:** ∅

**References:**

- [Tor Bridge][]

 [Tor Bridge]: https://tails.net/contribute/working_together/roles/sysadmins/services/#index16h1

### XMPP bot

**Summary:** It's only feature is to paste URLs and titles on issue mentions.

**Stakeholders:** Tails Team

**Action:** [Retire][]

**Action:** [Migrate][] to the same bot used by TPA

**Complexity:** [Low][]

**Stakeholders:** Tails Team

**Action:** [Retire][], in favor of IRC (or whatever Tor moves to)

**Action:** [Migrate][] to IRC

**Complexity:** [Medium][]

**Stakeholders:** TPA

**Action:** [Retire][], in favor of Ganeti

**Action:** [Migrate][] to Ganeti

**Complexity:** [Medium][]

**References:** ∅

## Retire

### Bitcoin

**Summary:** Tails' Bitcoin wallet.

**Stakeholders:** Finances

**Action:** [Retire][], hand-over to Tor accounting

**Complexity:** [Low][]

**Constraints:** ∅

**References:**

- [Bitcoin][]

 [Bitcoin]: https://tails.net/contribute/working_together/roles/sysadmins/services/#index2h1

### Tor Bridge

**Summary:** Not used for dev, but rather to "give back to the community".

**Stakeholders:** Tor Users

**Action:** [Retire][]

**Complexity:** [Low][]

**Constraints:** ∅

**References:**

- [Tor Bridge][]

 [Tor Bridge]: https://tails.net/contribute/working_together/roles/sysadmins/services/#index16h1

### VPN

**Summary:** Tinc connecting VMs hosted by 3rd-parties and physical servers.

```mermaid

flowchart TD

    classDef retire fill:#f99,stroke:#f00,color:black;

    classDef keep fill:#9f9,stroke:#090,color:black;

    classDef merge fill:#adf,stroke:#00f,color:black;

    classDef migrate fill:#f99,stroke:#f00,color:black;

    classDef white fill:#fff,stroke:#000;

    subgraph Captions

      style Captions fill:#fff,stroke:#fff;

      Keep; class Keep keep

      Merge; class Merge merge

      Migrate; class Migrate migrate

      Retire; class Retire retire

      Low([Low complexity]); class Low white;

      High{{High complexity}}; class High white;

    end

    subgraph Independent [Independent from Puppet]

    subgraph Independent [Puppet-agnostic]

        Documentation([Documentation]) ~~~

        PasswordStore([Password Store]) ~~~

        Mailman>Mailman lists] ~~~

        Colocations>Colocations] ~~~

        SecurityPolicy{{Security Policy}}

        Mailman>Mailman lists] ~~~

        PasswordStore([Password Store]) ~~~

        Registrars>Registrars] ~~~

        GitLab>GitLab] ~~~

        Calendar([Calendar])

    end

    subgraph PuppetBlockers [Merges and retirements]

    subgraph PuppetBlockers [Puppet-merge-agnostic]

        AptRepository>APT repository] ~~~

        LimeSurvey>LimeSurvey] ~~~

        Bitcoin([Bitcoin]) ~~~

        Weblate{{Weblate}} ~~~

        git-annex([git-annex]) -->

        Gitolite([Gitolite]) ~~~

        XMPP>XMPP] -->

        XmppBot([XMPP bot])

        Jenkins{{Jenkins}} -->

        VPN{{VPN}}

        MTA>MTA] ~~~

        Weblate{{Weblate}} ~~~

        Website>Website] ~~~

        TorBridge([Tor Bridge]) ~~~

        MirrorPool{{Mirror pool}} ~~~

        Jenkins{{Jenkins}} -->

        VPN{{VPN}}

        XMPP>XMPP] -->

        XmppBot([XMPP bot]) ~~~

        Bitcoin([Bitcoin]) ~~~

        TorBridge([Tor Bridge])

    end

    subgraph Puppet [Puppet repo and server]

    end

    subgraph Basic [Basic system functionality]

        Authentication{{Authentication}} ~~~

        WebServer>Web servers] ~~~

        DNS{{DNS}} ~~~

        Firewall{{Firewall}} ~~~

        Authentication{{Authentication}} ~~~

        Backups([Backups]) --> Monitoring{{Monitoring}}

        Firewall ~~~

        TLS([TLS]) --> Monitoring

        TLS([TLS]) --> Monitoring ~~~

        DNS{{DNS}} ~~~

        Firewall{{Firewall}}

        Authentication ~~~ TLS

    end

    subgraph ToKeep [Keep]

        TbArchive([Tor Browser archive]) ~~~

        BitTorrent([BitTorrent]) ~~~

        WhisperBack([WhisperBack]) ~~~

        AptSnapshots{{APT snapshots}} ~~~

        Schleuder([Schleuder])

        Schleuder([Schleuder]) ~~~

        AptSnapshots{{APT snapshots}}

    end

    Captions ~~~ Independent ~~~ PuppetBlockers --> PuppetCodebase

    ToKeep --> PuppetCodebase

    PuppetCodebase --> Virtualization([Virtualization])

    class DNS retire

    class Firewall retire

    class Backups retire

    class EYAML retire

    class git-annex retire

    class Gitolite retire

    class Monitoring retire

    class MirrorPool retire

    class DNS retire

    class TLS retire

    class Bitcoin retire

    class Calendar retire

    class Virtualization retire

    class VPN retire

    class XMPP retire

    class XmppBot retire

    class Jenkins retire

    class TorBridge retire

    class DNS migrate

    class Firewall migrate

    class Backups migrate

    class EYAML migrate

    class git-annex migrate

    class Gitolite migrate

    class Monitoring migrate

    class DNS migrate

    class TLS migrate

    class Calendar migrate

    class Virtualization migrate

    class Jenkins migrate

    class XMPP migrate

    class XmppBot migrate

    class MirrorPool migrate

    class CommitSigning keep

    class TorPuppet7 keep

    class HedgeDoc keep