Wednesday, September 8, 2021
Unfortunate Souls: Heather, Adam, Michael, Rob Scialli
Updates since last time
- WAREHOUSE DAY - Sat, Sept 4
- Adam did some DNS stuff
- Aaron mounted a core switch
- May still need uplink work
- We reorganized the TechOps section
- FreeIPA organization
- GitLab
- Proxmox
- Also merged Heather’s client work
- DNS ready to be merged
- Prod branch will host magevent.net
- Prod also delegates to subdomain branches
- Email relay host in progress
- Rob Scullin set up AWS emailer stuff and sent Adam creds
- Yesrod has stuff to do this manually for now
- Needs added to Bridges
- Aaron - Fixes to Proxmox front end
- DOESN’T COMPLAIN ABOUT SUBSCRIPTION
- Script to fix that after updates
- Don’t have to remember port 8006 anymore
- Proxmox is a ACME front end
- This may help with Let’s Encrypt cert distribution
Things we want done for next time - Sprint 3: 9/8 - 9/22
- Jira organization
- Deploy additional pylons containers and VMs - NEEDS TICKET(S)?
- Identify list of core guests to be present in Terraform - @yesrod
- Stub out hosts
- Hosts:
- DNS (ready for merge)
- Loghost (already defined)
- NTP (already done?)
- SMTP relay
- DHCP
- TFTP
- Other stuff I’m not thinking of
- DNS management via Ansible - TOPS-77
- READY TO MERGE
- Also use this info to build /etc/hosts file for each guest
- May want to leverage FreeIPA for root zone?
- CoreDNS
- DNSSEC, etc.
- Something to research
- Not as much control over DNS entries
- FreeIPA docs say “don’t use it outside of dev”
- Also, can we use Ansible’s nsupdate support
- Magfe.st domain removed
- ipam.magfe.st
- Do we want IP management?
- phpIPAM
- Might help create a node registry for Terraform/Ansible
- CSW “gold master config” - dns*.magfe.st
- Local/break-glass users - NEEDS TICKET?
- Backups - NEEDS TICKET?
- Ensure FreeIPA data is getting backed up to the Synology
- Figure out off-site replication to Backblaze or whatever - TOPS-94
- Coordinate with Rob Scullin
- Not getting backup emails anymore…
- Move notes to Confluence - DONE
- OTP auth in FreeIPA - NEEDS TICKET
- Low/wishlist priority
- Will happen after we have things to auth into
- Is it possible to do OTP/2 factor for the FreeIPA GUI?
- Existing OTP support is for ALL of FreeIPA
- How granular is OTP?
- Options exist per server, but may not do what we want
- Do we require passwords for sudoers?
- Yes for passwords, maybe for OTP?
- Ansible execution - TOPS-102
- Cron lol
- More specifically, scheduled GitLab runner tasks
- Every 30 minutes
- Prevent auto Ansible runs?
- Touch something like /panic
- Playbook looks for that file and errors out if present
- Ansible logging errors dumping into like Slack enforces not abusing that mechanism
- Ansible runs on the GitLab runner need set up
- Currently using Task...something (Taskfile?) (Go version of make)
Problems
- oh $DEITY i’m so tired 2 - electric boogaloo
- Get Mike and Rob VPN
- Mike also access to Zabbix