diff options
Diffstat (limited to 'TODOs.org')
| -rw-r--r-- | TODOs.org | 32 |
1 files changed, 29 insertions, 3 deletions
@@ -82,7 +82,8 @@ In this situation, I if go on with automating the deployment I'd rather pick the I'll start with other services other than email and consider alternatives later. ** TODO Use Digital Ocean's Volumes for persistent extended storage ** TODO Make VPS provisioning more robust -*** TODO Use Ansible (or an equivalent tool) instead of custom Bash scripts +*** DONE Use Ansible (or an equivalent tool) instead of custom Bash scripts +CLOSED: [2019-06-05 Wed 16:41] They are now more fragile, ad-hoc and imperative than I would like. Today Terraform won't run the =deploy.sh= if no infrastructure changes are required. Split infrastructure provisioning from server configuration with somethong like Ansible or =nix copy closure= and add extra command in the pipeline run. @@ -97,7 +98,7 @@ borg list --short --sort-by timestamp | tail -n 1 #+END_SOURCE ** WAITING Configure DNS from Terraform *** TODO Test provisioning DNS entries with other DNS registrars -*** TODO Have dynamic Floating IP +*** TODO Have dynamic Floating IP (a.k.a. =$PINNED_IP=) ** TODO Create snapshots before destroying resources This way the previous good state can be reverted if the deployment fails or the backup can't be restored. @@ -107,6 +108,13 @@ https://www.reddit.com/r/selfhosted/comments/bw8hqq/top_3_measures_to_secure_you https://docs.nextcloud.com/server/stable/admin_manual/installation/harden_server.html https://ownyourbits.com/2017/03/25/nextcloud-a-security-analysis/ ** TODO Use git-remote-gcrypt instead of git-crypt for vps-state +Also put all of the content of =secrets/*= into vps-state? Maybe rename it to vps-secret? + +Right now, secrets are scattered between the two repositories. By moving I can completely remove =git-crypt= from this repository. +** TODO Run backup on Terraform destroy action instead of manually in =provision.sh= +** TODO Explicitly destroy Droplets before running Terraform apply? +** TODO Store updated =.tfstate= even in case of deployment failure +Right now the script fails on Terraform commands before reaching git commands. I should trap the error, store on git and only then fail. * Must ** Fully deployable from code Use NixOps and Terraform to fully automate all of the configuration. @@ -166,7 +174,7 @@ The ultimate goal would be to upsert a Floating IP address? If no Floating IP ad In other words, I don't want any hardcoded IPs in the recipe. The IP address has to be fixed, and the same on the DNS registrar and DigitalOcean's Floating IP. ** TODO Critiques of Docker? -What does NixOps, DisNix and Dysnomia are trying to accomplish that overlap with Docker? +What does NixOps, DisNix and Dysnomia are trying to accomplish that overlap with Docker? Use sqldiff for NixOps? Do they do a better job? Why? Why not? @@ -223,3 +231,21 @@ All data stored on git is encrypted with [[https://www.agwa.name/projects/git-cr By taking advantage of the sourcehut ecosystem, it was easier to setup the access of the pipeline to the ad-hoc Terraform backend. I created a repository called [[https://git.sr.ht/~euandreh/vps-state/][=vps-state=]] to store the encrypted =.tfstate= and =.tfplan= files. During the CI run, the pipeline creates new a =.tfplan= file and commits it into =vps-state=, and after applying the plan it updates the =.tfstate= file and adds this change to =vps-state=. +** Configuration of =StrictHostKeyChecking= +We have 2 cases where I'm pushing things to the server and I'm dealing with it differently: +*** 1. Pushing updates to the =vps-state= repository +I could whitelist the SSH keys from the =git.sr.ht= servers, but this could break on every key rotation of the server. + +In can of the server address being spoofed, the content would be readable by the attacker, since we're doing all the encryption on the client. We would, however, lose a Terraform state file update. As of right now, I'm OK with this trade-off. +*** 2. Running =scp= to the deployed VPS +On this situation I want to be sure I know where I'm pushing to. + +In order to avoid adding =StrictHostKeyChecking= when running =ssh= and =scp=, every time the SSH key is rotated I generate a new =./secrets/ssh/known-hosts.txt= file with the proper SSH public key. + +This way we can avoid prompting for SSH server fingerprint trust on the CI and avoid adding =StrictHostKeyChecking= on those calls. +** Don't use Ansible as a =local-exec= provisioner from Terraform +Instead, explicitly call =ansible-playbook= after =terraform apply= finished running. + +This way we test the DNS A record -> Floating IP -> Droplet IP path. We can't do that inside Terraform declaration because the =local-exec= provisioning command runs before the =digitalocean_floating_ip_assignment= is created, and we can't create a cyclic dependency between the two resources. + +We could use the raw Droplet IP instead of the DNS A record, but I prefer calling it later in order to always test the full DNS resolution. |