|
|
# Meeting 2020 09 10
|
|
|
|
|
|
[[_TOC_]]
|
|
|
|
|
|
## Mail migration
|
|
|
|
|
|
### State
|
|
|
|
|
|
* The mail migration has not been started yet.
|
|
|
* The plan is that nobody will be able to ssh into it the new VPS, but passwords will be migrated.
|
|
|
|
|
|
### Who
|
|
|
|
|
|
* grazollini
|
|
|
|
|
|
### Actionable
|
|
|
|
|
|
* Grazzolini expects to handle the migration either today or tomorrow to a VPS.
|
|
|
* After the mail migration is done we will work on improving ssh access or setting the mail password.
|
|
|
|
|
|
## Hetzner DNS Terraform
|
|
|
|
|
|
### State
|
|
|
|
|
|
All our DNS records are now managed by terraform and can be found in tf-stage1/archlinux.tf.
|
|
|
|
|
|
### Who
|
|
|
|
|
|
* svenstaro
|
|
|
|
|
|
### Actionable
|
|
|
|
|
|
* Create a new machine issue template for migrations / new services on Gitlab. (@jelle)
|
|
|
|
|
|
## Keycloak/GitLab opening up
|
|
|
|
|
|
### State
|
|
|
|
|
|
Last Saturday we reviewed Keycloak with webauthn enabled and validated that everything works accordingly. 2FA is now enabled for all as we are unable to come up with a flow which makes it optional and secure for 2FA.
|
|
|
|
|
|
The webauthn changes are not in terraform yet as there is no support for it yet in the keycloak terraform provider. Upstream has a [pull request](https://github.com/mrparkers/terraform-provider-keycloak/pull/356) to add support for it.
|
|
|
|
|
|
Blockers:
|
|
|
* Some form of user documentation for resetting, setting up 2FA.
|
|
|
* [Theme keycloak's 2FA](https://accounts.archlinux.org/auth/realms/archlinux/account/) page to warn users that they have to setup 2FA. #132
|
|
|
* GitLab/Keycloak usage mail to staff on what to expect with Keycloak and GitLab, how to use them, how to log in, how to get an account.
|
|
|
* Contingency plan for malicious signups / users / comments / abuse.
|
|
|
|
|
|
### Who
|
|
|
|
|
|
* Everyone
|
|
|
|
|
|
### Actionable
|
|
|
|
|
|
The ticket to track the general opening up status is: #39
|
|
|
|
|
|
## Keycloak group structure
|
|
|
|
|
|
### State
|
|
|
|
|
|
@jelle has been working on adding the Support Staff groups into Keycloak so they can be onboarded and put in the correct groups for when the services are connected to Keycloak.
|
|
|
|
|
|
### Who
|
|
|
|
|
|
* @jelle
|
|
|
|
|
|
### Actionable
|
|
|
|
|
|
* Get !57 merged.
|
|
|
|
|
|
## Kape Servers configuration coordination
|
|
|
|
|
|
### State
|
|
|
|
|
|
Kape sponsors five servers:
|
|
|
|
|
|
* 3 distributed mirrors + archive mirrors (Asia, Europe, Americas)
|
|
|
* CI box
|
|
|
* big build box
|
|
|
|
|
|
For now we will treat these server as untrusted so no package building will happen on them.
|
|
|
|
|
|
### Who
|
|
|
|
|
|
* unassigned
|
|
|
|
|
|
### Actionable
|
|
|
|
|
|
* Provision and install the boxes
|
|
|
|
|
|
## Prometheus changes & Zabbix
|
|
|
|
|
|
### State
|
|
|
|
|
|
All basic prometheus functionality has been merged and deployed on a subset of our servers.
|
|
|
|
|
|
### Who
|
|
|
|
|
|
* @jelle
|
|
|
|
|
|
### Actionable
|
|
|
|
|
|
Add documentation for the following tasks:
|
|
|
|
|
|
* Using Grafana / where to find Grafana
|
|
|
* Adding Grafana dashboard
|
|
|
* Adding prometheus monitoring / different types of collectors (mysqld, memcached, borg, etc.)
|
|
|
* Adding a new Alert on Alertmanager
|
|
|
|
|
|
## Change meeting time
|
|
|
|
|
|
### State
|
|
|
|
|
|
@lambdaclan is unable to attend meetings now as he lives in JST, so maybe we can change the meeting time.
|
|
|
|
|
|
### Who
|
|
|
|
|
|
* @jelle
|
|
|
|
|
|
### Actionable
|
|
|
|
|
|
* We can change to 2h earlier (16:30 UTC) if that makes it more convenient for @lambdaclan
|
|
|
|
|
|
|