diff options
| author | EuAndreh <eu@euandre.org> | 2019-06-10 22:04:58 -0300 |
|---|---|---|
| committer | EuAndreh <eu@euandre.org> | 2019-06-10 22:15:54 -0300 |
| commit | b12f63d8dacaf2c891d712ec685d7dfc390d10e4 (patch) | |
| tree | 431d13e9405f85fbab8c386d9821728c2e10a63a | |
| parent | Store updated Terraform files in case of failure (diff) | |
| download | server-b12f63d8dacaf2c891d712ec685d7dfc390d10e4.tar.gz server-b12f63d8dacaf2c891d712ec685d7dfc390d10e4.tar.xz | |
TODOs.org
| -rw-r--r-- | TODOs.org | 42 |
1 files changed, 27 insertions, 15 deletions
@@ -1,4 +1,4 @@ -* Tasks +* Tasks - v1 ** DONE Provision DigitalOcean's droplet from Terraform CLOSED: [2019-05-25 Sat 13:29] ** DONE Properly provision Ubuntu droplet @@ -127,20 +127,22 @@ DNS registrar API are bad in general (from what I've seen). Using DigitalOcean's *** DONE Have dynamic Floating IP (a.k.a. =$PINNED_IP=) CLOSED: [2019-06-09 Sun 22:52] Floating IP is dynamically attached to the DNS entry in DigitalOcean itself. -** TODO Create snapshots before destroying resources +** NEXT Create snapshots before destroying resources This way the previous good state can be reverted if the deployment fails or the backup can't be restored. Can a TTL be added to the Droplet and the Volume's snapshots? ** TODO Harden the server -https://www.reddit.com/r/selfhosted/comments/bw8hqq/top_3_measures_to_secure_your_virtual_private/ -https://docs.nextcloud.com/server/stable/admin_manual/installation/harden_server.html -https://ownyourbits.com/2017/03/25/nextcloud-a-security-analysis/ -Check for HSTS header configuration -** TODO Use git-remote-gcrypt instead of git-crypt for vps-state +*** TODO [#C] [[https://www.reddit.com/r/selfhosted/comments/bw8hqq/top_3_measures_to_secure_your_virtual_private/][Top 3 measures to secure your Virtual Private Server? (VPS)]] +*** TODO [#A] [[https://docs.nextcloud.com/server/stable/admin_manual/installation/harden_server.html][Nextcloud: Hardening and security guidance]] +*** TODO [#A] [[https://ownyourbits.com/2017/03/25/nextcloud-a-security-analysis/][NextCloud, a security analysis]] +*** TODO [#B] [[https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md][Check for HSTS header configuration]] +** CANCELLED Use git-remote-gcrypt instead of git-crypt for vps-state Also put all of the content of =secrets/*= into vps-state? Maybe rename it to vps-secret? Right now, secrets are scattered between the two repositories. By moving I can completely remove =git-crypt= from this repository. -** TODO Run backup on Terraform destroy action instead of manually in =provision.sh= +*** Cancelled: +The =vps-state= repo isn't supposed to centralize all secrets, it's just a storage backend for Terraform files. +** NEXT Run backup on Terraform destroy action instead of manually in =provision.sh= ** DONE Explicitly destroy Droplets before running Terraform apply CLOSED: [2019-06-05 Wed 19:48] ** DONE Store updated =.tfstate= even in case of deployment failure @@ -151,10 +153,16 @@ CLOSED: [2019-06-10 Mon 09:01] ** DONE Email verbose (Ansible) log files in case of error CLOSED: [2019-06-10 Mon 16:59] builds.sr.ht only emails the link. Should it be extended to support encrypted log attachments? -** TODO Use environment variables for SSH key paths and volume mounts +** CANCELLED Use environment variables for SSH key paths and volume mounts +Make this change only if I have to change any of it's names. + +It's working fine like this right now, and I'll gain nothing from this change. ** DONE Don't allow backups to fail CLOSED: [2019-06-10 Mon 11:21] -** TODO Don't hardcode =/root/= paths: use =~/= instead to allow for different users +** CANCELLED Don't hardcode =/root/= paths: use =~/= instead to allow for different users +Make this change only if I have to change any of it's names. + +It's working fine like this right now, and I'll gain nothing from this change. * Services ** DONE =$tld=: Static webhosting CLOSED: [2019-05-26 Sun 10:17] @@ -255,9 +263,16 @@ Provision it using Terraform, and use it's path as the =$VOLUME_HOME= variable f This was I can compartimentalize the data storage to easily backup and duplicate, but also destroy a running droplet and create a new one. * Nice to have -** =euandreh.org= as =$tld= +** TODO Upgrade =docker-compose.yaml= file from version 2 to version 3 +** TODO =euandreh.org= as =$tld= +** TODO Improve rotation of SSH port +Remove need for manual intervention ** Nix Terraform provisioning -** WAITING Upgrade =terraform-godaddy= to 0.12 to support looping over CNAME records +** WAITING Upgrate Terraform to 0.12.1 to use =for_each= loops on resources +Previous title: + +: Upgrade =terraform-godaddy= to 0.12 to support looping over CNAME records + When using =terraform-godaddy= this made sense: #+BEGIN_SRC hcl locals { @@ -304,7 +319,6 @@ resource "digitalocean_record" "subdomains" { value = "${digitalocean_domain.vps_tld.name}." } #+END_SRC -** Upgrade =docker-compose.yaml= file from version 2 to version 3 ** Full blue/green deployments without downtime Only when doing a voluntary restore from backup in a newly created volume. @@ -316,8 +330,6 @@ Raspberry Pi vs VPS Imagine 2 Raspberry Pis, doing immutable blue/green deployments on it, with a large local of a few TBs! ** README with setup instructions -** Improve rotation of SSH port -Remove need for manual intervention * Resources ** [[https://github.com/mail-in-a-box/mailinabox][Mail-in-a-Box]] ** [[https://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/][NSA-proof your e-mail in 2 hours]] |