rootsystem/notes.txt


TODO:

Clean up post_to_object_storage_shell_script. Make it a template rather than a variable?


forest@tower:~/Desktop/git/rootsystem/terraform-modules/ansible-threshold-server$ ansible-playbook --private-key '/home/forest/Desktop/git/rootsystem/ssh/servergarden_builtin_ed22519' -i '104.131.56.31,' -u root -e 'domain=server.garden arch=amd64' playbook.yml


defense in depth local tls tin foil hat stuff:
Ideally we could use TLS on the connection between terraform and rootsystem.

Currently this backend only has two options, either use a public x.509 trust based TLS cert, or skip cert verification. We want to use TLS for improved security, but we also want to do it all on the private network without having a domain name or asking for permission. 

So we will have to modify terraform to add a new "Trusted CAs" option here: https://github.com/hashicorp/terraform/blob/master/backend/remote-state/http/backend.go

That way we can make our own CA, our own certificate, and then tell terraform to trust that CA. Then terraform can connect to our HTTP server securely for remote state storage.


curl --cacert "server.garden_CA.crt" \
  --key "pi4@server.garden.key" \
  --cert "pi4@server.garden.crt" \
  -sS https://server.garden:9056/clients | jq .


curl --cacert "server.garden_CA.crt" \
  --key "pi4@server.garden.key" \
  --cert "pi4@server.garden.crt" \
  -X PUT -H "Content-Type: application/json" \
  -d @tunnels.json \
  -sS https://server.garden:9056/tunnels | jq .
fixing encryption padding bug and terraform state storage issues 2020-05-26 15:31:53 +00:00
Got terraform apply triggered by code and apply status streamed to object storage 2020-06-07 21:13:32 +00:00			`TODO:`
fixing encryption padding bug and terraform state storage issues 2020-05-26 15:31:53 +00:00
Got terraform apply triggered by code and apply status streamed to object storage 2020-06-07 21:13:32 +00:00			`Clean up post_to_object_storage_shell_script. Make it a template rather than a variable?`
make a proper readme 2020-08-15 01:47:01 +00:00

working on handling ansible module errors correctly 2020-09-22 17:38:58 +00:00			`forest@tower:~/Desktop/git/rootsystem/terraform-modules/ansible-threshold-server$ ansible-playbook --private-key '/home/forest/Desktop/git/rootsystem/ssh/servergarden_builtin_ed22519' -i '104.131.56.31,' -u root -e 'domain=server.garden arch=amd64' playbook.yml`
make a proper readme 2020-08-15 01:47:01 +00:00


			`defense in depth local tls tin foil hat stuff:`
			`Ideally we could use TLS on the connection between terraform and rootsystem.`

			`Currently this backend only has two options, either use a public x.509 trust based TLS cert, or skip cert verification. We want to use TLS for improved security, but we also want to do it all on the private network without having a domain name or asking for permission.`

			`So we will have to modify terraform to add a new "Trusted CAs" option here: https://github.com/hashicorp/terraform/blob/master/backend/remote-state/http/backend.go`

			`That way we can make our own CA, our own certificate, and then tell terraform to trust that CA. Then terraform can connect to our HTTP server securely for remote state storage.`
readme wording 2020-08-15 01:53:14 +00:00





			`curl --cacert "server.garden_CA.crt" \`
			`--key "pi4@server.garden.key" \`
			`--cert "pi4@server.garden.crt" \`
			`-sS https://server.garden:9056/clients \| jq .`


			`curl --cacert "server.garden_CA.crt" \`
			`--key "pi4@server.garden.key" \`
			`--cert "pi4@server.garden.crt" \`
			`-X PUT -H "Content-Type: application/json" \`
			`-d @tunnels.json \`
			`-sS https://server.garden:9056/tunnels \| jq .`