path: root/wiki/src/contribute/working_together/roles/sysadmins.mdwn
diff options
Diffstat (limited to 'wiki/src/contribute/working_together/roles/sysadmins.mdwn')
1 files changed, 38 insertions, 0 deletions
diff --git a/wiki/src/contribute/working_together/roles/sysadmins.mdwn b/wiki/src/contribute/working_together/roles/sysadmins.mdwn
index c0b6e5b..276a8de 100644
--- a/wiki/src/contribute/working_together/roles/sysadmins.mdwn
+++ b/wiki/src/contribute/working_together/roles/sysadmins.mdwn
@@ -178,6 +178,34 @@ We use Redmine tickets for public discussion and tasks management:
- `tails::git_annex::mirror` defined resource in
[[!tails_gitweb_repo puppet-tails]]
+## Icinga2
+* purpose: Monitor Tails online services and systems.
+* access: only Tails core developers can read-only the Icingaweb2 interface,
+ sysadmins are RW and receive notifications by email.
+* setup: We have one Icinga2 instance installed on a dedicated system
+ used as the master of all our Icinga2 zones. We use a VM on the other
+ bare-metal host as the Icinga2 satellite of our master. Icinga2 agents are
+ installed on every other VM and the host itself. They report back to
+ the satellite, which transmits to the master. We spread the Icinga2
+ configuration with Puppet. This way, we achieve a certain isolation
+ where the master or the satellite have no right to configure agents or
+ run arbitrary commands on them.
+* tools: [[!debpts icinga2 desc="Icinga2"]], [[!debpts icingaweb2]]
+* configurations
+ - master:
+ * `tails::monitoring::master` class in [[!tails_gitweb_repo puppet-tails]].
+ * some configuration in the node manifest.
+ * See Vpn section.
+ - web server:
+ * `tails::monitoring::icingaweb2` class in [[!tails_gitweb_repo puppet-tails]],
+ that wraps around [upstream `icingaweb2` module](
+ * some configuration in the node manifest.
+ - satellite:
+ * `tails::monitoring::satellite` class in [[!tails_gitweb_repo puppet-tails]],
+ - agents:
+ * `tails::monitoring::agent` class in [[!tails_gitweb_repo puppet-tails]]
## Jenkins
* purpose: continuous integration, e.g. build Tails ISO images from
@@ -224,6 +252,16 @@ We use Redmine tickets for public discussion and tasks management:
[[!tails_gitweb_repo puppet-tails]]
- `tor::daemon::relay` in [[!tails_gitweb_repo puppet-tor]]
+## VPN
+* purpose: flow through VPN traffic the connections between our
+ different remote systems. Mainly used by the monitoring service.
+* access: private network.
+* tools: [[!debpts tinc]]
+* configuration:
+ - `tails::vpn::instance` class in the [[!tails_gitweb_repo puppet-tails]]
+ repo.
## Web server
* purpose: serve web content for any other service that need it