The best way to start is to read this document, then join the chatand say hello! We’ll help you from there.
Rust team services have traditionally been managed in a fairly ad-hoc manner. Our aim is to make this less ad-hoc in a minimal a way as possible, providing some simple way to automate existing common tasks on our infra, from setting up a service from“box is empty”, to performing a regularly required restart - nobody should ever be logging onto a box.
There will likely be significant interaction with the WG-infra-secure team, though our focus is on incrementalism and working with what exists today to‘document’ it.
Create a set of shell scripts to maintain the services that exist today.
Take ownership of services that exist on third-party servers.
Solve secrets as minimally as possible.
Open work items
The things on this list tend to be spread across repositories, and may not be directly actionable by everyone - discussions to inform the changes are just as important as the changes themselves.
Get RustStatus hosted on actual rust-lang infra
Work item: add a Dockerfile for RustStatus. As part of this, the hadcoded twitter api keys will need to move to a separate file(maybe even the sopel cfg if possible?) so any files with secrets in can be mounted as volumes - see RCS as inspiration
Work item: poke aidanhs to enable Docker Hub automated builds
Work item: migrate secrets to using the parameter store(see next‘high level’ work item) - the hardcoded twitter api keys should be relatively‘easy’, but hooking this up with the sopel cfg as well may be harder
Get RCS‘complete’ - Work with the WG-infra-secure team to solve secret management for RCS. The AWS Parameter Store has been suggested. We want a secret management tool that has a small a delta from the current“unencrypted things on disk” as possible, while still being secure. See https://github.com/remind101/ssm-env as possible inspiration.
Work item: providing a PR on RCS as a proof of concept to retrieve values from AWS parameter store
Add additional services to the simpleinfra repo and get acrichto to run them. Includes taking ownership of things like RustStatus(owned by aidanhs), highfive(https://github.com/nrc/highfive/issues/81, owned by nrc) - for each of these we need to decide where they will live, upload their secrets and tweak the code as appropriate, and add any scripts for common maintenance tasks
Work item: add a shell script for the startup of RustStatus