At the beginning the virtual machine was was administrated by the FSF sysadmins (through cfengine and FAI) and and Replicant maintainers (without configuration management).
The Replicant maintainers now completely took over the management of the VM. The FSF is only doing backup for us through scripts that use SSH.
It's not using cfengine anymore and the FSF sysadmins do not manage it anymore but they can help in case of issues (See FSFVMRootAccess for more details).
We then took over FAI which is still being used for automatic updates only, but since it installed packages that increased the attack surface all the time (like samba) we switched to using unattended-upgrades.
We then tried etckeeper and configured it to do manual commits only. Though it didn't work for '/' (but worked fine for directories)
We then moved to ad-hoc configurations in git with custom install scripts / Makefile and templating.