A few of those steps might actually clean some of the stuff the nagios
check will catch.

Prevent non-root users from logging in while the upgrade is in progress.
See pam_nologin.so

This will reduce the noise in subsequent runs.

Those are not present in bullseye and somehow do not get cleaned up on
dist-upgrade.

That df output can zip by really fast on a fast uplink, and is
therefore lost in the noise. While we can scrollback to see it, we
need to know about it.

We also just remove that confusing "-o APT::Get::Trivial-Only=true"
blob. It's unclear what it does from the outside. It was originally
taken from the official upgrade procedure as a mechanism to show how
much disk would be used by the upgrade, but the download steps we use
already show that information anyways, so it's actually a duplicate.

We don't need a pause here, what follows below is not the full
upgrade, only the download. And if *that* fails, it's pretty harmless
as it just requires an `apt clean`.

We don't need more interactions in this already long process.

This reverts commit 55ceff5e.

This removes the annoying quotes around all output lines.

This was previously used to track which machine had been upgraded, but
it's really error prone. Just doing this, I found at least one machine
where we forgot to update this file (gayi, still marked as stretch).

That information is also available in PuppetDB (and more accurate)
anyways. It's the datasource we use now to do reports on the upgrade
progress.

To track which host is running a given release, run this on the
PuppetDB host (currently pauli):

    curl -s -G http://localhost:8080/pdb/query/v4 --data-urlencode 'query=nodes { facts { name = "lsbdistcodename" and value = "buster" }}' | jq -r .[].certname

The above will show "buster" nodes, for example.

It's also pretty useless: we could, in theory, use this to (say)
acknowledge all problems matching a given OS, but in practice I have
never done this in three years so far, and it's not because I didn't
know about this group.

So, automation wins here: less churn and manual changes is good. If we
eventually reimplement this in Puppet, we could, in theory, restore
this group, but I don't even think *that* is worth it.

See also team#32901.

Otherwise it will get removed by autoremove and then reinstalled by
Puppet...

It's now pushed by Puppet on the hosts.

Minutes 2022 04 04

See merge request anarcat/wiki-replica!2

Closes: team#40662

Document building Docker images with kaniko in Gitlab

Closes gitlab#90

See merge request !28

Closes: #90.

I'm not sure where that comment came from: I looked in the tor-nagios
history and couldn't find a trace of that plugin.

We might set it up eventually though, as part of team#40706.

We've just had a situation where a TPA member pushed to pauli as root
which could have messed up the repository's permission. This was
discovered by the post-receive hook which said it was pushed as root,
which is good.

Such a configuration should prevent those issues on most services.

In particular, I add the jump host there to avoid logging in as root
as it's not necessary. The same with the LDAP server, running ldapvi
can (and should) be done as a regular user.