wuvt / it-tasks Goto Github PK

note; each node probably will be a /96

https://radiodns.org/news-campaigns/news/2020/07/21/creating-your-own-si-file/ https://github.com/radiodns/nab-radiodns-setup-tutorial/

09070.8BAD.us.fm.radiodns.org. 900 IN CNAME radiodns.wuvt.vt.edu.

e.g., new k8s cluster is a project.

Migrate articles from old versions of the WUVT site to the current site.

We need to find some way to handle SSH authentication if we move all authentication to Google. SSH certificates have been suggested as a good way to do this, so we should investigate if that will work for us. If so, we should create another issue to actually roll out their use.

We should set up a simple static HTML portal page that has links to all the services we run. Here's a non-exhaustive list of things we could include:

• https://www.wuvt.vt.edu/
• https://am.wuvt.vt.edu/
• https://trackman-fm.apps.wuvt.vt.edu/
• https://trackman-am.apps.wuvt.vt.edu/
• https://playlists-fm.apps.wuvt.vt.edu/
• https://wuvt.slack.com/

There are also a few services that only IT and engineering are really going to be using, that we could include under a separate header:

• https://eas.apps.wuvt.vt.edu/
• https://kibana.apps.wuvt.vt.edu/
• https://grafana.apps.wuvt.vt.edu/
• https://sensu.apps.wuvt.vt.edu/

We also might want to include links to all our G Suite stuff as well.

The SSPL is not considered an open-source license. Elastic have relicensed Elasticsearch and Kibana 7.11 under the SSPL (with continued availability under the non-free Elastic License, while prior versions were licensed under Apache 2.0.

Does this license change affect our willingness to use and develop against Elasticsearch in pload or run ELK for log analytics?

easy enough, right?

WUVT linx intentionally has a very short file lifetime of 1week. We need a more permanent solution for sharing images to e.g. github tickets. Abusing wuvt-site is an option, as long as we figure out how to audit uploaded files.

we run elasticsearch for wuvt/pload, but intentionally don't support pagination or large result sets. There should be a minimal app to browse tracks in our digital library.

rewrite iptables rules in nftables, s.t. they live on oko. ideally these will go in ansible, later.

google supports ldap. However, it is unclear how this will interface with mandatory 2fa for google accounts.

Ephemeral guest accounts may be an acceptable alternative for most users.

The code changes have already happened, but the config changes to do this have not yet been deployed. This should happen by October 1 at the latest; we'll need to make sure that everyone who needs access already has an account by then.

Once we have everything migrated to use Google for authentication, we can decommission our dex deployment.

to new k8s cluster, of course

consider wuvt/trackman#114 and wuvt/pload#5

Some rough thoughts: use a modal in trackman to allow user to search for rotation (instead of current rotation selection), but basically track only musicbrainz recording-id internally.

We should get more feedback from music, and also use this to handle wuvt/trackman#110 and the interesting parts of wuvt/trackman#112

quay.io, docker hub are both legacy-IP-only

As an open-source organisation, we frequently find ourselves working with various licenses. Our own projects are made available licensed under the GPLv3.0, AGPLv3.0, MIT, ISC, or are formally unlicensed (implicitly, all rights reserved).

These licenses, as well as the GPL 2.0, LGPL 2 and 3, Apache 2.0, Mozilla MPL 2.0, and 2 or 3-clause BSD frequently come up, and most of the time do not introduce license incompatibility concerns. We also use code under CDDL (a copyleft GPL-incompatible license) and the OpenSSL license (also GPL-incompatible), and the Postgres License, which strongly resembles MIT or BSD.

However, with these >14 different licesnses (all of which are "open source" per OSI, and many of which are Libre, per GNU), there are a lot of terms/conditions to keep track of, and potentially unwanted interactions between. Further, it is quite likely that we engage in various non-free licenses to use hardware we have (sometimes in embedded appliances such as our EAS equipment or AoIP network, but also in general-purpose computers), and per #31 could be effected when our upstreams relicense software to be non-free.

We should make an effort to 1) track the licenses of software we use, 2) consolidate what our own code is licensed under, 3) codify why our software is licensed to guide future decisions, and 4) evaluate the effects of non-free code on our general ethos and on our operations, and identify where it is acceptable or not.

flint should have enough music and PSAs and IDs and such to play for several hours even if it can't talk to the file server. it should noisily alert us if it plays from this for a prolonged period fo time, and should generate a logfile if it cannot talk to trackman. This is a multi-part project but mostly a johnny-six thing.

c.f. wuvt/wuvt-site#263:

@mutantmonkey writes:

We should have integrated show scheduling functionality. I'm thinking that there are really two things that need to be configurable: the time slots, which are only changed rarely, and the shows for each slot, which are changed basically every semester.

The default view should be the show scheduler, which should have a way in each time slot to either directly select a show there or access a page where show information can be entered. There should be an option to access the time slot configuration from this page, perhaps with a cog icon or something.

Shows should be able to have a DJ associated with them, but it should not be required. If there's a DJ associated with a show that starts in the next 15 minutes or has at least 15 minutes remaining, Trackman should suggest the show and provide a simple one-click login.

Also see document in design-specs

for pload, of course

After running kubeadm init, install calico

needs nginx basic-auth proxy, and needs data populated. ideally we'd set up a k8s cron job to replace the contents of the db periodically.

self-explanatory

local admin accounts on systems have ssh keys installed in initial deployment, and infrequently used thereafter. we should audit these installs to ensure that only appropriate users/keys have access.

probably not worth much until wuvt/johnny-six#13 gets figured out

I want to stop including bootstrap sources, jquery source, openiconic, and web fonts in various WUVT projects, as it's a confusing mess.

Bootstrap and others recommend using 3rd-party CDNs like jsdeliver or bootstrapcdn. This is unacceptable
from a privacy perspective.

We should run our own cache of these shared sources from a WUVT location, and build tools to allow configuration of
an official or custom CDN.

We only need to migrate a small subset of mailboxes.

We should stop using IP whitelists for trackman and mission control. Consider using a client certificate for studio workstations.

we need a way to install kubeadm on all of our k8s cluster nodes; this ideally will be automated with ansible (See wuvt-ansible)

We've half-reimplemented auth for trackman, wuvt-site, donormotor, pload, and other services. ideally we'd reduce our code maintenance burden by building a python library all of these would share.

we have wuvt/design-specs which summarises some items and tasks. we should consider merging these repositories.