9-8-2021 | Notion

Wednesday, September 8, 2021

Unfortunate Souls: Heather, Adam, Michael, Rob Scialli

Updates since last time

WAREHOUSE DAY - Sat, Sept 4
- Adam did some DNS stuff
- Aaron mounted a core switch
  - May still need uplink work
- We reorganized the TechOps section
- FreeIPA organization
  - GitLab
  - Proxmox
  - Also merged Heather’s client work
DNS ready to be merged
- Prod branch will host magevent.net
- Prod also delegates to subdomain branches
Email relay host in progress
- Rob Scullin set up AWS emailer stuff and sent Adam creds
- Yesrod has stuff to do this manually for now
- Needs added to Bridges
Aaron - Fixes to Proxmox front end
- DOESN’T COMPLAIN ABOUT SUBSCRIPTION
  - Script to fix that after updates
- Don’t have to remember port 8006 anymore
Proxmox is a ACME front end
- This may help with Let’s Encrypt cert distribution

Things we want done for next time - Sprint 3: 9/8 - 9/22

Jira organization
- Some progress made, but room for more organization
- Aaron has taken over Jira organization
- Rough idea for a 3-tier organization https://www.atlassian.com/agile/project-management/epics-stories-themes
  - Initiative: Event (in this case Super 2022)
  - Epic: Component/category (network, compute, etc.)
  - Story/Task: Specific task
Deploy additional pylons containers and VMs - NEEDS TICKET(S)?
- Identify list of core guests to be present in Terraform - @yesrod
- Stub out hosts
  - Example: https://github.com/magfest/bridges/blob/main/terraform/lxc-dhcp.tf
- Hosts:
  - DNS (ready for merge)
  - Loghost (already defined)
  - NTP (already done?)
    - https://github.com/magfest/bridges/issues/55
  - SMTP relay
  - DHCP
    - https://github.com/magfest/bridges/issues/5
  - TFTP
  - Other stuff I’m not thinking of
DNS management via Ansible - TOPS-77
- READY TO MERGE
- Also use this info to build /etc/hosts file for each guest
  - https://github.com/magfest/bridges/issues/14
- May want to leverage FreeIPA for root zone?
  - CoreDNS
  - DNSSEC, etc.
  - Something to research
  - Not as much control over DNS entries
  - FreeIPA docs say “don’t use it outside of dev”
- Also, can we use Ansible’s nsupdate support
- Magfe.st domain removed
  - ipam.magfe.st
    - Do we want IP management?
    - phpIPAM
    - Might help create a node registry for Terraform/Ansible
  - CSW “gold master config” - dns*.magfe.st
    - May already be fixed?
Local/break-glass users - NEEDS TICKET?
- https://github.com/magfest/bridges/issues/17
- Password/shared cred management?
  - Bitwarden?
  - Mozilla SOPS?
    - Lives in repo, could live in existing Bridges repo
  - We’re kind of abusing Ansible Vault too...
Backups - NEEDS TICKET?
- Ensure FreeIPA data is getting backed up to the Synology
- Figure out off-site replication to Backblaze or whatever - TOPS-94
  - Coordinate with Rob Scullin
- Not getting backup emails anymore…
  - Being addressed
Move notes to Confluence - DONE
- https://docs.magfest.net/display/TOPS/Meeting+Notes
- Copy these notes there as well
- Page per meeting date
OTP auth in FreeIPA - NEEDS TICKET
- Low/wishlist priority
  - Will happen after we have things to auth into
- Is it possible to do OTP/2 factor for the FreeIPA GUI?
  - Existing OTP support is for ALL of FreeIPA
  - How granular is OTP?
    - Options exist per server, but may not do what we want
- Do we require passwords for sudoers?
  - Yes for passwords, maybe for OTP?
Ansible execution - TOPS-102
- Cron lol
  - More specifically, scheduled GitLab runner tasks
  - Every 30 minutes
    - https://docs.gitlab.com/ee/ci/pipelines/schedules.html
- Prevent auto Ansible runs?
  - Touch something like /panic
  - Playbook looks for that file and errors out if present
  - Ansible logging errors dumping into like Slack enforces not abusing that mechanism
- Ansible runs on the GitLab runner need set up
  - Currently using Task...something (Taskfile?) (Go version of make)

Problems

oh $DEITY i’m so tired 2 - electric boogaloo
Get Mike and Rob VPN
- Mike also access to Zabbix