With your changes regarding secure connection:

Added opportunistic TLS for client and server connections:

Configuration changed in ~/.pg_service.conf and ~/.pg_pass (for the port)

pgbouncer has been setup on prado (port 6432) and should proxy all connections to postgres 9.4.

Now that the first batch import (github + snapshot.debian.org + gnu.org) is done and we won't be importing other sources for a while, a full object store backup from uffizi to banco has now started.

I'd be in favor of working with three clusters then:

That sounds sensible. We should be able to export a LV from our spinning rust storage to prado for that "mirrors" postgresql cluster.

Agreed, pgbouncer would be nice (and IIRC also the choice that Dimitri recommended to us a while back).

The latest pgbouncer release (1.7) supports TLS, hba and unix peer authentification so looks like a good candidate. I submitted a bug to Debian to ask for an update of the package : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810816

This is now done. It worked well, but it's really slow.

Done during the 2015-12 reboot

In T238#2777, @olasd wrote:

Added DNAT configuration to louvre:/etc/network/interfaces.

Added DNAT configuration to louvre:/etc/network/interfaces.

this is now ongoing on banco, in a screen session of user barman

• foreach $i in 0..f
  • Created 10TB logical volume vg-swhbackup/backup$i
  • Created XFS filesystem on /dev/mapper/vg--swhbackup-backup$i
  • Created directory /srv/storage/space/$i
  • Mounted /dev/mapper/vg--swhbackup-backup$i on /srv/storage/space/$i
  • foreach $j in 0..f
    • Created directories /srv/storage/space/$i/$i$j and /srv/softwareheritage/objects/$i$j
    • Mounted directory /srv/storage/space/$i/$i$j on /srv/softwareheritage/objects/$i$j

Done (lv name: vg-swhbackup/barman, size = 20TB)

Done (vg name: vg-swhbackup).

Done.

Turns out the /etc/network/interfaces syntax for the bond interface was wrong T_T. Fixed.

Actually, I ran logrotate -f /etc/logrotate.conf and it ran okay.

I removed the culprit file (which was empty). I suppose it's a side effect of the out of disk issue of last week.

Deployed via puppet during the migration of T18.

Deployed via puppet and DNS updated.

this has been scripted on the current hosting site, dumps can be generated whenever we want them to be available

Signed certificates and private keys for *.softwareheritage.org and *.internal.softwareheritage.org are now available in rPWD.

Status update: Nicolas has submitted the CSR(s), waiting for DigiCert to ack.

This is now done. Some details:

And apache through to rSPPROFa11a325c.

uWSGI has been deployed through rSPPROFb76ea39d4

The systemd service file has been added, but it doesn't go well with the other phabricator daemons that are running...

Added another setting "notification.types" : ["task", "cmit"]

Added a setting "notifications.verbosity" in the bot config file. The default disabled notifications...

We can configure "application emails" to route inbound email to phabricator applications. We can then use Herald rules to route those addresses properly.

Pending DNS propagation, this should be done.

done in rSPPFIX840582c1d52c and rSPPFIXf97729a999d3

swh's puppet state of art - https://forge.softwareheritage.org/diffusion/SENV/