From 63e153327361576fd74cc283fa8339cc8994de6b Mon Sep 17 00:00:00 2001 From: Brutesque Date: Mon, 23 Aug 2021 04:24:56 +0200 Subject: [PATCH] moved todo from readme to repository wiki --- README.md | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/README.md b/README.md index b063218..d9c16fb 100644 --- a/README.md +++ b/README.md @@ -99,19 +99,3 @@ You can also manually run the ansible task to print the urls to screen again: ``` ansible-playbook playbook-deploy --tag urls ``` - -### Todo -- Overwrite any passwords generated by the provider at vps creation -- Set "PermitRootLogin no" after becoming different user in playbook -- Don't allow ssh as root; implement ansible user that becomes root -- Check docker services and implement non-root user where possible -- Tls verification for docker? (assuming this is not applicable since this already uses tinc vpn) -- Figure out a better way for storing terraform secrets, other than environment variables. Preferably some kind of vault -- Use ansible vault for secrets (if still applicable after terraform secrets method) -- Use chronyd to synchronize time between nodes -- implement bastion (ssh and vpn) for secure acces to nodes and admin services -- Configure Tinc nodes to use private networking, if made available by the provider. Minimizes data cost. -- Create upgrade playbook, that safely drains an upgraded node before it reboots it. -- Check deployment logs thoroughly and make sure sensitive data is being masked -- Automate manager promotion when manager instance has been removed by terraform -- Figure out if it's possible to have certbot in it's own service dealing the certificates for a cluster of traefik instances to use.