diff --git a/TODO.md b/TODO.md deleted file mode 100644 index 7483fa1..0000000 --- a/TODO.md +++ /dev/null @@ -1,149 +0,0 @@ -# Ansible / Dev TODO -Cluster/Ansible Setup -- [x] Setup Playbook -- [x] Root as local var: `work/dtu/python-support/*` -- [x] Get 2 DO Droplets -- [x] Provision DNS -- [ ] Key Fingerprint as local var -- [x] Setup Wireguard wg0 between DO Droplets -- [ ] Setup unattended-upgrades - -Swarm -- [x] Install Docker -- [x] Check Swarm ports on wg0: https://docs.docker.com/engine/swarm/swarm-tutorial/ -- [x] Init Swarm manager & worker -- [x] Install rclone volume plugin: https://rclone.org/docker/ -- [ ] Label big one as 'storage' - -Stack: cleanup -- [x] Security Audit -- [x] **Deploy Stack** - -Stack: mesh -- [x] Install Configs -- [x] **Deploy Stack** - -- [x] rclone `acme.json` to R2 w/crypt -- [ ] Security Audit - -Stack: site-support -- [x] Generate Configs -- [x] Install Configs -- [x] **Deploy Stack** - -- [ ] Security Audit - -Stack: updater -- [ ] config: main -- [ ] config: cleanup -- [ ] config: mesh -- [ ] config: site-support -- [ ] Install Configs -- [ ] **Deploy Stack** - -- [ ] Security Audit - -Stack: auth -- [ ] Write Stack -- [ ] storage: authentik-postgres -- [ ] storage: authentik-redis -- [ ] *Test Deploy* - -- [ ] configs: Blueprints (export from prototyping) -- [ ] Install Configs -- [ ] role: API Setup of Things -- [ ] **Deploy Stack** - -- [ ] updater: Integrate update-check -- [ ] Security Audit - -Stack: s3 -- [ ] Write Stack - - https://geek-cookbook.funkypenguin.co.nz/recipes/minio/ - - Restrict to 'storage' label. - -- [ ] ...? -- [ ] Install Configs -- [ ] Install Secrets -- [ ] storage: minio -- [ ] *Test Deploy* - -- [ ] role: API Setup of Things -- [ ] **Deploy Stack** - -- [ ] auth: Integrate OIDC - - https://min.io/docs/minio/container/operations/external-iam.html - - https://goauthentik.io/integrations/services/minio/ -- [ ] updater: integrate -- [ ] Security Audit - -Stack: chat -- [ ] Write Stack - - https://geek-cookbook.funkypenguin.co.nz/recipes/minio/ - - Restrict to 'storage' label. - -- [ ] ...? -- [ ] Install Configs -- [ ] Install Secrets -- [ ] storage: zulip-postgres -- [ ] storage: zulip-rabbitmq -- [ ] storage: zulip-redis -- [ ] s3: zulip -- [ ] *Test Deploy* - -- [ ] auth: Integrate OIDC - - https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#openid-connect - - Backup SAML: https://goauthentik.io/integrations/services/zulip/ -- [ ] role: API Setup of Things -- [ ] **Deploy Stack** - -- [ ] updater: Integrate -- [ ] Security Audit - -Stack: git -- [ ] Install Configs -- [ ] Install Secrets -- [ ] *Test Deploy* - -- [ ] storage: gitea-redis -- [ ] storage: gitea-postgres -- [ ] storage: gitea-mellisearch - - https://www.meilisearch.com/docs/learn/cookbooks/docker -- [ ] s3: gitea -- [ ] s3 via rclone: gitea (repositories) -- [ ] role: API Setup of Things -- [ ] **Deploy Stack** - -- [ ] Configure gitea-actions w/auto-setup -- [ ] manual: Migrate docker-mdbook, site-support. - - -Bonus: -- Play with `uptime`. -- Backups! - - - -# Playbook Creation Notes -- [x] mesh should use a non-`local` driver. -- [ ] Implement rolling updates to services within stacks, whose configs have changed. - - Note `rolling_updates` in the `docker_config` ansible module. - - With a little information-gathering, I'm certain we can prevent actually stopping stacks on deploy and instead only do the secret rotation as described in the Docker documentation: https://docs.docker.com/engine/swarm/secrets/#example-rotate-a-secret - - NOTE that the rclone volume stuff is always gonna need manual stop/start. Is jank. Such is the life. - -- [ ] Automatic R2 Bucket Creation -- [ ] Only do the delays when we actually need to stop stacks / unmount volumes - -- [ ] Encrypted use of R2 bucket. - - https://rclone.org/crypt/ - -- [ ] Templated security.txt in site-support -- [ ] Templated limits to not kill the demo hosts in ex. site-support :) - -- [ ] Please, please, a nice README.md in site-support? - -- [ ] Move DNS stuff out to the stacks. Trust me! -- [ ] Invest in some delegation to roles. These playbooks be gettin messy. - -- [ ] Figure out a way to deal with concurrent `acme.json` in Traefik. For now I've set it to one replica and `vfs_cache_mode=full` (I think `none` may be wonky with this particular need of Traefik?) - - Needs more testing! diff --git a/playbooks/playbook.swarm.yml b/playbooks/playbook.swarm.yml index b28b654..3106dd2 100644 --- a/playbooks/playbook.swarm.yml +++ b/playbooks/playbook.swarm.yml @@ -67,12 +67,12 @@ path: "/var/lib/docker-plugins/rclone/cache" state: directory mode: "0750" - - - name: "Disable the rclone Docker Plugin" - community.docker.docker_plugin: - state: "disable" - alias: "rclone" - plugin_name: "rclone/docker-volume-rclone:amd64" + +# - name: "Disable the rclone Docker Plugin" +# community.docker.docker_plugin: +# state: "disable" +# alias: "rclone" +# plugin_name: "rclone/docker-volume-rclone:amd64" - name: "Install rclone Docker Plugin" community.docker.docker_plugin: diff --git a/run.sh b/run.sh index cf81d48..8f6fa24 100755 --- a/run.sh +++ b/run.sh @@ -135,6 +135,11 @@ case $1 in action_swarm ;; + sync-stacks) + action_stack_cleanup + action_stack_mesh + action_stack_site_support + ;; sync-stack-cleanup) action_stack_cleanup ;; diff --git a/stacks/site-support/docker-compose.yml b/stacks/site-support/docker-compose.yml index 813ce0e..a089e7e 100644 --- a/stacks/site-support/docker-compose.yml +++ b/stacks/site-support/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.8" services: site-support: - image: git.sofus.io/so-rose/site-support:0 + image: git.sofus.io/python-support/site-support:0 user: "5020:5020" cap_drop: - ALL