5.6 KiB
5.6 KiB
Roadmap
Phase 1 — reorg + Charlie repos
- Inventory
/mnt/nas/stacks. - Push
Charlie/project-charlie. - Snapshot
volume1/ubuntuon miquella. - Tier 1 pilot (
ddclient,homarr,vaultwarden). - Tier 2 (
caddy,gssh,directoryadmin,mediacompose). - Tier 3 (
ldap,authentik,bookstack,monica,miniflux,planka,audiobookshelf,gitea). - Tier 4 — collapse upstream-cloned stacks (
mealie,paperless-ngx,victoriametrics,searxng,invidious). - Tier 5 — long tail. See repos.md.
- Sweep
/mnt/nas/home/*.retired/after stability check. - Delete
/mnt/nas/home/once empty. - Mohg inventory + migration.
- Malenia (mac) re-onboard. NFS mount currently unreliable from malenia → otelcollector mac install deferred. Investigate NFS/SMB/AFP mount options or switch to a different sync mechanism.
Phase 2 — CI
- Design runner stack —
Charlie/runners. Open question: secrets sourcing (vaultwarden? Gitea Actions secrets? SOPS?). - Stand up runners on morgott + melina, register org-scope to
Charlie. - First end-to-end pipeline: push to
Charlie/ddclient→ webhook → redeploy on morgott. - Build pipelines on
amacocian/*source repos to push images to gitea registry (replaces "build on laptop"). - Per-stack
deploy.yamlworkflows in everyCharlie/<stack>. - Multi-host matrix workflow for shared stacks (
otelcollector,portainer-agent).
Phase 3 — Automation
- Diun watching registries → webhook →
redeployworkflow withforce-pull. - Retire
watchtower. - Drift detection: running compose vs repo compose.
- Backup verification against miquella.
- Cert/secret expiry checks (authentik, caddy, signing CA).
- Secret rotation pass — every stack with secrets exposed during reorg (most of them).
Phase 4 — NAS layout polish
- Rename
/mnt/nas/media-server/→/mnt/nas/media/and update mediacompose.env. - Rename
/mnt/nas/ldap/→/mnt/nas/ldap-certs/. - Move
/mnt/nas/portainer/data/→/mnt/nas/data/portainer/(when portainer migrates).
Phase 5 — Cross-cutting concerns (backlog)
These don't block earlier phases, but capture them now so they're not forgotten.
Centralization
- Centralize
deploy.sh. Every shared stack ships a copy of the same script (see strategy.md → Shared stacks). Options: a small repoCharlie/charlie-toolscloned to/usr/local/share/charlie/on every host, withdeploy.shinvoked as a single host-installed binary. Stacks then just declare their compose layout; the host'scharlie-deployscript picks the right files. Decide before the next "shared stack" arrives. - Centralize shell setup.
Charlie/shellrepo withprofile.d/,inputrc, etc., cloned to/usr/local/share/charlie-shell/(or/etc/profile.d/charlie.shsourcing a NAS path). Same delivery channel ascharlie-tools. - Centralize host-level scripts.
sync-ca.sh, future temp/storage metric collectors (afterserver-mgmt-utilsis dismantled), maybe acharlie-host-bootstrapto handle SSSD / docker / mounts. Likely lives underCharlie/charlie-toolsor a sibling.
Observability
- Grafana provisioning git-backed. Was previously synced from github; that integration was removed when migrating off github. Restore via Gitea — either grafana's native git provisioner or a workflow that syncs
Charlie/grafana-dashboards→ grafana'sprovisioning/dashboards/directory on morgott. Dashboards become version-controlled assets.
Secrets
- Decide on secrets sourcing for runners + stacks. Candidates: vaultwarden as source-of-truth + a runner-side fetch step that materialises
.envper job, Gitea Actions secrets (per-repo), SOPS-encrypted-in-repo. Investigate before any deploy pipeline that needs to write a.env.
Identity & access
- Auto-mount user home folders on SSH connect. Currently each user's
$HOMEis local to the host they SSH into. Want each user's home to be a NAS-backed share automounted on connect (NFS or autofs + LDAP user attribute). Should pair with the LDAP-backed SSSD setup (Charlie/ldap). Design before more users land. - Miquella into the LDAP/SSH fold. DSM is currently outside the SSSD-backed identity. Configure DSM's LDAP client to point at
Charlie/ldap, trust the SSH signing CA (/volume1/ubuntu/ca/ssh/ssh_user_ca.pub), and accept ephemeral certs from gssh. Goal: malenia + miquella both onboarded into the gssh terminal flow with LDAP-driven access. - Per-host git identity. Each host needs its own credential to talk to Gitea — currently we paste a PAT inline. Decide: per-host PAT stored in the host's keyring, host-keyed SSH key registered as a deploy key on each
Charlie/<stack>(rotation pain), or one "host-fleet" service account in Gitea with org-scope read + per-stack write. - Per-repo permissions via LDAP-backed service accounts. Use
Charlie/ldapto provision service accounts (e.g.svc-runner-morgott,svc-deploy-mediacompose) that Gitea recognises through OIDC. Per-reporead/write/adminroles map to LDAP groups. Replaces the current "everything pushes asamacocian" pattern. Required before runners go live so a compromised runner has bounded blast radius.
Cleanup
- Server-mgmt-utils. Mostly dead. Extract the temp/storage metric scripts into either
Charlie/otelcollector/scripts/(so otel can scrape them) or a newCharlie/host-scriptsrepo. Then archive the original. plist/— classify and decide.