TODOs.org

1 files changed, 52 insertions, 5 deletions

diff --git a/TODOs.org b/TODOs.org
index c7a3bdc..034d1d4 100644
--- a/TODOs.org
+++ b/TODOs.org
@@ -3,8 +3,10 @@
 CLOSED: [2019-05-25 Sat 13:29]
 ** DONE Properly provision Ubuntu droplet
 CLOSED: [2019-05-25 Sat 17:50]
-** DOING Automate deployment of updates
-*** DOING Subtasks
+** DONE Automate deployment of updates
+CLOSED: [2019-05-29 Wed 17:42]
+*** DONE Subtasks
+CLOSED: [2019-05-29 Wed 17:42]
 **** DONE Fix Debian import of GPG keys
 CLOSED: [2019-05-26 Sun 14:34]
 While NixOS image isn't fixed, use Debian instead.
@@ -25,8 +27,10 @@ CLOSED: [2019-05-26 Sun 19:42]
 Put it in an environment variable?
 
 Done by appending to content of =~/.ssh/config=.
-**** DOING Use DigitalOcean's Floating IP in front of the droplet
-**** DOING Automate deployment with Terraform and deployment scripts
+**** DONE Use DigitalOcean's Floating IP in front of the droplet
+CLOSED: [2019-05-28 Tue 23:22]
+**** DONE Automate deployment with Terraform and deployment scripts
+CLOSED: [2019-05-29 Wed 15:54]
 **** DONE Backup data during deployments
 CLOSED: [2019-05-28 Tue 00:48]
 Is this approach feasible? Will it make the deployment take too much longer? What are the alternatives?
@@ -39,7 +43,6 @@ rsync --verbose --progress --stats --update --recursive "$RSYNC_REMOTE" "$HOME/b
 #+END_SOURCE
 
 Implemented with help from https://jstaf.github.io/2018/03/12/backups-with-borg-rsync.html
-**** TODO Test provisioning DNS entries with other DNS registrars
 **** DONE Namecheap whitelist IP limitation
 CLOSED: [2019-05-26 Sun 17:14]
 Namecheap requires you to specifically whitelist an IP that can perform changes to their API.
@@ -78,7 +81,27 @@ In this situation, I if go on with automating the deployment I'd rather pick the
 
 I'll start with other services other than email and consider alternatives later.
 ** TODO Use Digital Ocean's Volumes for persistent extended storage
+** TODO Make VPS provisioning more robust
+*** TODO Use Ansible (or an equivalent tool) instead of custom Bash scripts
+They are now more fragile, ad-hoc and imperative than I would like.
+
+Today Terraform won't run the =deploy.sh= if no infrastructure changes are required. Split infrastructure provisioning from server configuration with somethong like Ansible or =nix copy closure= and add extra command in the pipeline run.
+*** TODO Always perform a blue/green infrastructure deployment with Terraform
+Recreate a new Droplet from scratch, even if no changes happened.
+
+This way every deployment tests the code path of creating everything from scratch again, from the DNS public IP all the way to restoring backups.
+*** TODO Destroy and recreate the volume on deployment
+Restore from the latest backup with:
+#+BEGIN_SOURCE shell
+borg list --short --sort-by timestamp | tail -n 1
+#+END_SOURCE
 ** WAITING Configure DNS from Terraform
+*** TODO Test provisioning DNS entries with other DNS registrars
+*** TODO Have dynamic Floating IP
+** TODO Create snapshots before destroying resources
+This way the previous good state can be reverted if the deployment fails or the backup can't be restored.
+
+Can a TTL be added to the Droplet and the Volume's snapshots?
 * Must
 ** Fully deployable from code
 Use NixOps and Terraform to fully automate all of the configuration.
@@ -94,6 +117,14 @@ A bookmark application must:
 https://github.com/nextcloud/docker
 
 Do I need to configure =NEXTCLOUD_TRUSTED_DOMAINS= or it should work without it?
+
+Start with =cloud.euandreh.org= before =mail.euandreh.org= so I can retire =arrobaponto.org= and reuse it for other projects.
+
+Activate client-side [[https://docs.nextcloud.com/server/11/user_manual/files/encrypting_files.html][encryption]] of files. Activate two-factor authentication for admin and user accounts.
+
+Nextcloud bookmarks instead of Wallabag? Does it have browser extension and Android app? How about the password manager? Is is client-side encrypted?
+
+Should I consider using an external storage provider, like S3, instead of solely local (DigitalOcean's attached volume)?
 ** TODO =mail.euandreh.org=: Email + webmail
 https://github.com/tomav/docker-mailserver
 https://mailu.io/master/demo.html
@@ -126,12 +157,18 @@ Right now the current Floating IP defined in =.envrc= was created manually in Di
 If everything was teared down, I couldn't recreate everything from source, because the Floating IP would be different.
 
 The ultimate goal would be to upsert a Floating IP address? If no Floating IP address exists, create one. If one already exists (I don't how to get a reference to it), use it.
+
+In other words, I don't want any hardcoded IPs in the recipe. The IP address has to be fixed, and the same on the DNS registrar and DigitalOcean's Floating IP.
 ** TODO Critiques of Docker?
 What does NixOps, DisNix and Dysnomia are trying to accomplish that overlap with Docker?
 
 Do they do a better job? Why? Why not?
 
 Get a book on advanced Docker, or container fundamentals and dig deeper.
+** TODO Should I have an extra backup location?
+Maybe rsync the contents of the Borg repository into S3. Should I restore backups from these too?
+** TODO Should I be using something like [[https://www.vaultproject.io/][Vault]] instead of git-crypt?
+Can it do key rotation?
 ** DONE Do I want or need Docker? Should I use it?
 CLOSED: [2019-05-25 Sat 18:1980]
 It was a better path than sticking with NixOps and nixcloud-webservices. It's more widespread and has more things done for it.
@@ -145,6 +182,15 @@ This was I can compartimentalize the data storage to easily backup and duplicate
 ** =*.euandreh.org=
 ** Nix Terraform provisioning
 ** Upgrade =docker-compose.yaml= file from version 2 to version 3
+** Full blue/green deployments without downtime
+Only when doing a voluntary restore from backup in a newly created volume.
+
+Is there email software capable of doing this? A distributed email server that doesn't rely so much on the server file system, but on a database instead?
+** Do all this in a Raspberry Pi
+Even the email server can be in it. Is RAM the beiggest limitation for it?
+
+Raspberry Pi vs VPS
+** README with setup instructions
 * Resources
 ** [[https://github.com/mail-in-a-box/mailinabox][Mail-in-a-Box]]
 ** [[https://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/][NSA-proof your e-mail in 2 hours]]
@@ -153,6 +199,7 @@ This was I can compartimentalize the data storage to easily backup and duplicate
 ** [[https://github.com/sovereign/sovereign/][Sovereign]]
 ** [[https://github.com/nixcloud/nixcloud-webservices][nixcloud-webservices]]
 ** [[https://github.com/Kickball/awesome-selfhosted#email][Awesome-Selfhosted: Email]]
+** [[https://arstechnica.com/information-technology/2014/04/taking-e-mail-back-part-4-the-finale-with-webmail-everything-after/][Taking e-mail back]]
 * Decisions
 ** Use external git repository as an encrypted database
 Terraform does have the support for "backends" where it can store =.tfstate= files.