The best way to start is to read this document, then join the and say hello! We’ll help you from there.
Rust team services have traditionally been managed in a fairly ad-hoc manner. Our aim is to make this less ad-hoc in a minimal a way as possible, providing some simple way to automate existing common tasks on our infra, from setting up a service from “box is empty”, to performing a regularly required restart - nobody should ever be logging onto a box.
There will likely be significant interaction with the WG-infra-secure team, though our focus is on incrementalism and working with what exists today to ‘document’ it.
- Create a set of shell scripts to maintain the services that exist today.
- Take ownership of services that exist on third-party servers.
- Solve secrets as minimally as possible.
Open work items
The things on this list tend to be spread across repositories, and may not be directly actionable by everyone - discussions to inform the changes are just as important as the changes themselves.
- Get RustStatus hosted on actual rust-lang infra
- Work item: add a Dockerfile for . As part of this, the hadcoded twitter api keys will need to move to a separate file (maybe even the sopel cfg if possible?) so any files with secrets in can be mounted as volumes - see as inspiration
- Work item: poke aidanhs to enable Docker Hub automated builds
- Work item: migrate secrets to using the parameter store (see next ‘high level’ work item) - the hardcoded twitter api keys should be relatively ‘easy’, but hooking this up with the sopel cfg as well may be harder
- Get RCS ‘complete’ - Work with the WG-infra-secure team to solve for . The AWS Parameter Store has been suggested. We want a secret management tool that has a small a delta from the current “unencrypted things on disk” as possible, while still being secure. See https://github.com/remind101/ssm-env as possible inspiration.
- Work item: providing a PR on RCS as a proof of concept to retrieve values from AWS parameter store
- Add additional services to the and get acrichto to run them. Includes taking ownership of things like RustStatus (owned by aidanhs), highfive (https://github.com/nrc/highfive/issues/81, owned by nrc) - for each of these we need to decide where they will live, upload their secrets and tweak the code as appropriate, and add any scripts for common maintenance tasks
- Work item: add a shell script for the startup of RustStatus
- Consolidate/improve play infra setup, e.g. https://github.com/integer32llc/rust-playground/pull/191. Also note it’s self-maintaining, so it just needs a “setup from fresh box” script.
Completed work items
- None yet!