diff options
| author | EuAndreh <eu@euandre.org> | 2019-06-05 19:25:40 -0300 |
|---|---|---|
| committer | EuAndreh <eu@euandre.org> | 2019-06-05 19:25:40 -0300 |
| commit | 59c4792f47f8a007204903f948e4e562699375dd (patch) | |
| tree | 2dc1ab0160ce708fb1358584f8ec4553e7face95 | |
| parent | Fix git-crypt configuration (diff) | |
| download | server-59c4792f47f8a007204903f948e4e562699375dd.tar.gz server-59c4792f47f8a007204903f948e4e562699375dd.tar.xz | |
TODOs.org
| -rw-r--r-- | TODOs.org | 6 |
1 files changed, 5 insertions, 1 deletions
@@ -133,6 +133,8 @@ Right now, secrets are scattered between the two repositories. By moving I can c ** TODO Store updated =.tfstate= even in case of deployment failure Right now the script fails on Terraform commands before reaching git commands. I should trap the error, store on git and only then fail. ** TODO Fix alias in =bash-profile.sh= +** TODO Email verbose (Ansible) log files in case of error +builds.sr.ht only emails the link. Should it be extended to support encrypted log attachments? * Must ** Fully deployable from code Use NixOps and Terraform to fully automate all of the configuration. @@ -250,7 +252,7 @@ By taking advantage of the sourcehut ecosystem, it was easier to setup the acces I created a repository called [[https://git.sr.ht/~euandreh/vps-state/][=vps-state=]] to store the encrypted =.tfstate= and =.tfplan= files. During the CI run, the pipeline creates new a =.tfplan= file and commits it into =vps-state=, and after applying the plan it updates the =.tfstate= file and adds this change to =vps-state=. ** Configuration of =StrictHostKeyChecking= -We have 2 cases where I'm pushing things to the server and I'm dealing with it differently: +We have 3 cases where I'm pushing things to the server and I'm dealing with it differently: *** 1. Pushing updates to the =vps-state= repository I could whitelist the SSH keys from the =git.sr.ht= servers, but this could break on every key rotation of the server. @@ -261,6 +263,8 @@ On this situation I want to be sure I know where I'm pushing to. In order to avoid adding =StrictHostKeyChecking= when running =ssh= and =scp=, every time the SSH key is rotated I generate a new =./secrets/ssh/known-hosts.txt= file with the proper SSH public key. This way we can avoid prompting for SSH server fingerprint trust on the CI and avoid adding =StrictHostKeyChecking= on those calls. +*** 3. Backup server +Even though the backup is encrypted before sending the data, I don't want to risk loosing a backup to an spoofed server. I'd rather break the build instead. ** Don't use Ansible as a =local-exec= provisioner from Terraform Instead, explicitly call =ansible-playbook= after =terraform apply= finished running. |