System administrators
Download Tails 0.23 March 19, 2014
  1. Goals
  2. Principles
    1. Infrastructure as code
    2. Free Software
    3. Relationships with upstream
  3. Tools
  4. Communication
  5. Services
    1. APT repository
    2. Bitcoind
    3. BitTorrent
    4. Debian package builder
    5. Gitolite
    6. Jenkins
    7. rsync
    8. Tor bridge
    9. Web server
    10. WhisperBack relay

Goals

The Tails system administrators set up and maintain the infrastructure that supports the development and operations of Tails. We aim at making the life of Tails contributors easier, and to improve the quality of the Tails releases.

Principles

Infrastructure as code

We want to treat system administration like a (free) software development project:

  • We want to enable people to participate without needing an account on the Tails servers.
  • We want to review the changes that are applied to our systems.
  • We want to be able to easily reproduce our systems via automatic deployment.
  • We want to share knowledge with other people.

This is why we try to publish as much as possible of our systems configuration, and to manage our whole infrastructure with configuration management tools. That is, without needing to log into hosts.

Free Software

We use Free Software, as defined by the Debian Free Software Guidelines.
The firmware our systems might need are the only exception to this rule.

Relationships with upstream

The principles used by the broader Tails project also apply for system administration.

Tools

The main tools used to manage the Tails infrastructure are:

  • Debian GNU/Linux; in the vast majority of cases, we run the current stable release
  • Puppet, a configuration management system
  • Git to host and deploy configuration, including our Puppet modules

Communication

A few people have write access to the puppetmasters, and can log into the hosts.
They read the tails-sysadmins@boum.org encrypted mailing-list.

We use Redmine tickets for public discussion and tasks management:

Services

APT repository

  • purpose: host Tails-specific Debian packages
  • documentation
  • access: anyone can read, Tails core developers can write
  • tools: reprepro
  • configuration: tails::reprepro class in puppet-tails

Bitcoind

  • purpose: handle the Tails Bitcoin wallet
  • access: Tails core developers only
  • tools: bitcoind
  • configuration: bitcoind class in puppet-bitcoind

BitTorrent

Debian package builder

Gitolite

  • purpose: host Git repositories used by the puppetmaster and other services; mostly useless for humans
  • access: Tails core developers only
  • tools: gitolite
  • configuration: tails::gitolite class in puppet-tails

Jenkins

  • purpose: continuous integration, e.g. build Tails ISO images from source and run test suites
  • access: only Tails core developers can see the Jenkins web interface (ticket #6270); anyone can download the built products
  • tools: Jenkins, jenkins-job-builder
  • configuration:
    • master:
      • jenkins class in puppet-jenkins,
      • a few Jenkins pluggins installed with jenkins::plugin
      • manifests to glue the above tools together (ticket #6056)
      • YAML jobs configuration lives in a dedicated Git repository; jenkins-job-builder uses it to configure Jenkins
    • slaves:

rsync

  • purpose: provide content to the public rsync server, from which all HTTP mirrors in turn pull
  • access: read-only for those who need it, read-write for Tails core developers
  • tools: rsync
  • configuration: tails::rsync in puppet-tails

Tor bridge

  • purpose: provide a Tor bridge that Tails contributors can easily use for testing
  • access: anyone who gets it from BridgeDB
  • tools: tor, obfsproxy
  • configuration:

Web server

  • purpose: serve web content for any other service that need it
  • access: depending on the service
  • tools: nginx
  • configuration:

WhisperBack relay

  • purpose: forward bug reports sent with WhisperBack to tails-bugs@boum.org
  • access: public; WhisperBack (and hence, any bug reporter) uses it
  • tools: Postfix
  • configuration: tails::whisperback::relay in puppet-tails