-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathTODO
96 lines (96 loc) · 5.46 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
* README.md: Grab the size on disk (according to dpkg and Docker)
* README.md: Grab memory requirements from systemd
* postrm script to remove Docker volumes
* Devise a way to enable/disable whole locations/services at runtime?
* Explore rootless Docker (Re-map user id of files within containers)
https://docs.docker.com/engine/security/userns-remap/
* Set up non-root user with systemd
* docker-compose.yml: persist container logs to volume
certbot:/var/log/letsencrypt.log
nginx:/var/log/nginx/{access,error}.log
* Verify all containers have the same timezone (probably requires mounting
/etc/localtime into the container).
* Cron to get regular backups of the images
* Cron to archive all backup images regularly and keep a few around
* Document format/behavior of volumes.dvm.lock in README.md
* Integrate tar --diff option
This option compares the contents of the volume to the contents on disk.
Useful to prevent unnecessarily changing the contents of disk.
* This repository doesn't really support testing "in-repository." It should.
* Implement MAC using Nginx to remove auth/auth, identity mgmt. from apps.
* We should be building the Debian package in Docker or a fakeroot to ensure
all dependencies are captured in the debian/control file. For example, we
probably rely on a Python package or two from PyPI, which can't be installed
via apt/dpkg.
* This repository should provide an apt list once mini-dinstall is added.
* We should be careful to remove apt/dpkg/apk from OCI images, or whatever
programs are unnecessary.
* Currently, if any of the images assembled during the build process are
removed, but the build.lock file remains on the filesystem, the build system
will not attempt to rebuild the images.
* We should create a git-hook that ensures images assembled during the build
are pushed up to docker hub and tagged appropriately.
* Look into ways to make the Python applications faster. See the following
link: https://packaging.python.org/overview/
* Some variables, like the port in the edtwardy/apps image, are speciied as
magic numbers in too many places.
* Create non-root user for uWSGI application
* Connect Nginx and uWSGI using a Unix socket.
* When the docker-volume-manager becomes feature-stable and meets all of my
use cases, rewrite in Rust, define requirements, write tests, documentation
and publish under an open source license.
* Better tracking of runtime dependencies for Rust applications?
* Port edtwardy-webservices.bash to use getopt
* Create bash completion for edtwardy-webservices.bash
* Comprehensive review of container security--e.g., if an attacker gains access
to one of my containers, what's to stop them from running a new container
mapping /dev/mapper/edtwardy-vg--root and nukeing my filesystem? (This, of
course, assumes that Docker-in-Docker works the way I think it does...)
* volumemanager container sometimes stays behind after stopping services?
* Add --auto-tag <description> parameter to edtwardy-webservices which appends
salt to <description> and uses it as the tag for the backup operation. See
docs/ContainerVolumeManager.md to see how I did it.
* django-bookmarks should either expose the auth redirect url in settings, or
not perform a redirect, and just return an HTTP error.
* Backing up an image without a tag doesn't work.
* Create a route that redirects the website root '/' to an actual URL
* Consider disabling referrals in django-auth-ldap?
* Add StartTLS support to django-auth-ldap and openldap server
* Create bind to further secure openldap server (retrieve passwd from env)
* Could probably speed the build by building the wheels on the host and then
copying into the container...since we have to copy it into the container
anyways...
* Subclass a login mixin to require group membership in "Bookmarks" group in
order to access bookmarks urls.
* Version all OCI images to tags.
* make package target still includes build artifacts present in .gitignore
* Fix email address in file headers
* Currently, when adding new files to the package, we need to add them to the
Makefile and to the respective debian/*.install file. This process will get
even worse when we go to add *.spec files, PKGBUILD, or whatever files are
required to package for other distributions.
* Probably some ways to optimize the apps containerfile further?
* Put jenkins containers into a different docker-compose.yml and package them
separately, but list as a dependency in debian/control and systemd unit file.
* Tag edtwardy images
* edtwardy/jenkins-agent image creates two unnamed shared volumes.
* Mini-dinstall instance
* Pypi server
* Git server
* Web status dashboard (landing page and status/log viewer)
* RSS viewer
* Disk monitor
* VPN server
* Self-hosted spreadsheet app, like Google Docs
* Add edtwardy-hostinfrastructure package--includes SSH/firewall configs, etc.,
and installs fail2ban and other packages by dependency
* SFTP server with pam_ldap.so, integrated with Jenkins for Yocto SSTATE mirror
* Self-hosted photo album
* systemd service for edtwardy-vps to ensure wireguard server is running
* Jellyfin depends on the edtwardy-webservices_default network, which, if CVM
is still populating the volumes from the images when the
edtwardy-jellyfin.service starts, doesn't exist.
* Jellyfin takes a long, long time to start??
* The Jellyfin desktop app available in flathub does not support connecting to
servers served at a sub-url. Perhaps I should make it a separate vhost on
port 8096, behind an Nginx reverse proxy for SSL?