python-support-infra/TODO.md

# Ansible / Dev TODO
Cluster/Ansible Setup
- [x] Setup Playbook
- [x] Root as local var: `work/dtu/python-support/*`
- [x] Get 2 DO Droplets
- [x] Provision DNS
- [ ] Key Fingerprint as local var
- [x] Setup Wireguard wg0 between DO Droplets
- [ ] Setup unattended-upgrades

Swarm
- [x] Install Docker
- [x] Check Swarm ports on wg0: https://docs.docker.com/engine/swarm/swarm-tutorial/
- [x] Init Swarm manager & worker
- [x] Install rclone volume plugin: https://rclone.org/docker/
- [ ] Label big one as 'storage'

Stack: cleanup
- [x] Security Audit
- [x] **Deploy Stack**

Stack: mesh
- [x] Install Configs
- [x] **Deploy Stack**

- [x] rclone `acme.json` to R2 w/crypt
- [ ] Security Audit

Stack: site-support
- [x] Generate Configs
- [x] Install Configs
- [x] **Deploy Stack**

- [ ] Security Audit

Stack: updater
- [ ] config: main
- [ ] config: cleanup
- [ ] config: mesh
- [ ] config: site-support
- [ ] Install Configs
- [ ] **Deploy Stack**

- [ ] Security Audit

Stack: auth
- [ ] Write Stack
- [ ] storage: authentik-postgres
- [ ] storage: authentik-redis
- [ ] *Test Deploy*

- [ ] configs: Blueprints (export from prototyping)
- [ ] Install Configs
- [ ] role: API Setup of Things
- [ ] **Deploy Stack**

- [ ] updater: Integrate update-check
- [ ] Security Audit

Stack: s3
- [ ] Write Stack
	- https://geek-cookbook.funkypenguin.co.nz/recipes/minio/
	- Restrict to 'storage' label.
	
- [ ] ...?
- [ ] Install Configs
- [ ] Install Secrets
- [ ] storage: minio
- [ ] *Test Deploy*

- [ ] role: API Setup of Things
- [ ] **Deploy Stack**

- [ ] auth: Integrate OIDC
	- https://min.io/docs/minio/container/operations/external-iam.html
	- https://goauthentik.io/integrations/services/minio/
- [ ] updater: integrate
- [ ] Security Audit

Stack: chat
- [ ] Write Stack
	- https://geek-cookbook.funkypenguin.co.nz/recipes/minio/
	- Restrict to 'storage' label.
	
- [ ] ...?
- [ ] Install Configs
- [ ] Install Secrets
- [ ] storage: zulip-postgres
- [ ] storage: zulip-rabbitmq
- [ ] storage: zulip-redis
- [ ] s3: zulip
- [ ] *Test Deploy*

- [ ] auth: Integrate OIDC
	- https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#openid-connect
	- Backup SAML: https://goauthentik.io/integrations/services/zulip/
- [ ] role: API Setup of Things
- [ ] **Deploy Stack**

- [ ] updater: Integrate
- [ ] Security Audit

Stack: git
- [ ] Install Configs
- [ ] Install Secrets
- [ ] *Test Deploy*

- [ ] storage: gitea-redis
- [ ] storage: gitea-postgres
- [ ] storage: gitea-mellisearch
	- https://www.meilisearch.com/docs/learn/cookbooks/docker
- [ ] s3: gitea
- [ ] s3 via rclone: gitea (repositories)
- [ ] role: API Setup of Things
- [ ] **Deploy Stack**

- [ ] Configure gitea-actions w/auto-setup
- [ ] manual: Migrate docker-mdbook, site-support.


Bonus:
- Play with `uptime`.
- Backups!


# Playbook Creation Notes
- [x] mesh should use a non-`local` driver.
- [ ] Implement rolling updates to services within stacks, whose configs have changed.
	- Note `rolling_updates` in the `docker_config` ansible module.
	- With a little information-gathering, I'm certain we can prevent actually stopping stacks on deploy and instead only do the secret rotation as described in the Docker documentation: https://docs.docker.com/engine/swarm/secrets/#example-rotate-a-secret
	- NOTE that the rclone volume stuff is always gonna need manual stop/start. Is jank. Such is the life.

- [ ] Automatic R2 Bucket Creation
- [ ] Only do the delays when we actually need to stop stacks / unmount volumes 

- [ ] Encrypted use of R2 bucket.
	- https://rclone.org/crypt/ 

- [ ] Templated security.txt in site-support
- [ ] Templated limits to not kill the demo hosts in ex. site-support :)

- [ ] Please, please, a nice README.md in site-support?

- [ ] Move DNS stuff out to the stacks. Trust me!
- [ ] Invest in some delegation to roles. These playbooks be gettin messy.

- [ ] Figure out a way to deal with concurrent `acme.json` in Traefik. For now I've set it to one replica and `vfs_cache_mode=full` (I think `none` may be wonky with this particular need of Traefik?)
	- Needs more testing!
feat: Working minimal, reproducible infrastructure. 2023-08-13 04:49:19 +02:00			`# Ansible / Dev TODO`
			`Cluster/Ansible Setup`
			`- [x] Setup Playbook`
			- [x] Root as local var: `work/dtu/python-support/*`
			`- [x] Get 2 DO Droplets`
			`- [x] Provision DNS`
			`- [ ] Key Fingerprint as local var`
			`- [x] Setup Wireguard wg0 between DO Droplets`
			`- [ ] Setup unattended-upgrades`

			`Swarm`
			`- [x] Install Docker`
			`- [x] Check Swarm ports on wg0: https://docs.docker.com/engine/swarm/swarm-tutorial/`
			`- [x] Init Swarm manager & worker`
			`- [x] Install rclone volume plugin: https://rclone.org/docker/`
			`- [ ] Label big one as 'storage'`

			`Stack: cleanup`
			`- [x] Security Audit`
			`- [x] Deploy Stack`

			`Stack: mesh`
			`- [x] Install Configs`
			`- [x] Deploy Stack`

			- [x] rclone `acme.json` to R2 w/crypt
			`- [ ] Security Audit`

			`Stack: site-support`
			`- [x] Generate Configs`
			`- [x] Install Configs`
			`- [x] Deploy Stack`

			`- [ ] Security Audit`

			`Stack: updater`
			`- [ ] config: main`
			`- [ ] config: cleanup`
			`- [ ] config: mesh`
			`- [ ] config: site-support`
			`- [ ] Install Configs`
			`- [ ] Deploy Stack`

			`- [ ] Security Audit`

			`Stack: auth`
			`- [ ] Write Stack`
			`- [ ] storage: authentik-postgres`
			`- [ ] storage: authentik-redis`
			`- [ ] Test Deploy`

			`- [ ] configs: Blueprints (export from prototyping)`
			`- [ ] Install Configs`
			`- [ ] role: API Setup of Things`
			`- [ ] Deploy Stack`

			`- [ ] updater: Integrate update-check`
			`- [ ] Security Audit`

			`Stack: s3`
			`- [ ] Write Stack`
			`- https://geek-cookbook.funkypenguin.co.nz/recipes/minio/`
			`- Restrict to 'storage' label.`

			`- [ ] ...?`
			`- [ ] Install Configs`
			`- [ ] Install Secrets`
			`- [ ] storage: minio`
			`- [ ] Test Deploy`

			`- [ ] role: API Setup of Things`
			`- [ ] Deploy Stack`

			`- [ ] auth: Integrate OIDC`
			`- https://min.io/docs/minio/container/operations/external-iam.html`
			`- https://goauthentik.io/integrations/services/minio/`
			`- [ ] updater: integrate`
			`- [ ] Security Audit`

			`Stack: chat`
			`- [ ] Write Stack`
			`- https://geek-cookbook.funkypenguin.co.nz/recipes/minio/`
			`- Restrict to 'storage' label.`

			`- [ ] ...?`
			`- [ ] Install Configs`
			`- [ ] Install Secrets`
			`- [ ] storage: zulip-postgres`
			`- [ ] storage: zulip-rabbitmq`
			`- [ ] storage: zulip-redis`
			`- [ ] s3: zulip`
			`- [ ] Test Deploy`

			`- [ ] auth: Integrate OIDC`
			`- https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#openid-connect`
			`- Backup SAML: https://goauthentik.io/integrations/services/zulip/`
			`- [ ] role: API Setup of Things`
			`- [ ] Deploy Stack`

			`- [ ] updater: Integrate`
			`- [ ] Security Audit`

			`Stack: git`
			`- [ ] Install Configs`
			`- [ ] Install Secrets`
			`- [ ] Test Deploy`

			`- [ ] storage: gitea-redis`
			`- [ ] storage: gitea-postgres`
			`- [ ] storage: gitea-mellisearch`
			`- https://www.meilisearch.com/docs/learn/cookbooks/docker`
			`- [ ] s3: gitea`
			`- [ ] s3 via rclone: gitea (repositories)`
			`- [ ] role: API Setup of Things`
			`- [ ] Deploy Stack`

			`- [ ] Configure gitea-actions w/auto-setup`
			`- [ ] manual: Migrate docker-mdbook, site-support.`


			`Bonus:`
			- Play with `uptime`.
			`- Backups!`



			`# Playbook Creation Notes`
			- [x] mesh should use a non-`local` driver.
			`- [ ] Implement rolling updates to services within stacks, whose configs have changed.`
			- Note `rolling_updates` in the `docker_config` ansible module.
			`- With a little information-gathering, I'm certain we can prevent actually stopping stacks on deploy and instead only do the secret rotation as described in the Docker documentation: https://docs.docker.com/engine/swarm/secrets/#example-rotate-a-secret`
			`- NOTE that the rclone volume stuff is always gonna need manual stop/start. Is jank. Such is the life.`

			`- [ ] Automatic R2 Bucket Creation`
			`- [ ] Only do the delays when we actually need to stop stacks / unmount volumes`

			`- [ ] Encrypted use of R2 bucket.`
			`- https://rclone.org/crypt/`

			`- [ ] Templated security.txt in site-support`
			`- [ ] Templated limits to not kill the demo hosts in ex. site-support :)`

			`- [ ] Please, please, a nice README.md in site-support?`

			`- [ ] Move DNS stuff out to the stacks. Trust me!`
			`- [ ] Invest in some delegation to roles. These playbooks be gettin messy.`

			- [ ] Figure out a way to deal with concurrent `acme.json` in Traefik. For now I've set it to one replica and `vfs_cache_mode=full` (I think `none` may be wonky with this particular need of Traefik?)
			`- Needs more testing!`