I guess it’s been a little over a month, so, I should record that I’m well and alive.
The busy period I’ve been building up to is about to start. I’m genuinely not looking forward to most of that.
Part of that has involved a full hardening pass on all SILO projects.
I managed to poke Linode enough to get the capability for a DISA STIG hardened ALMA 8 image without sacrifices I wasn’t willing to make in 2024 when I first made issue of it with them. From there its introduction of identity management with FreeIPA.
DNS, a CA, and then figuring out how to expose it without it just being a liability. I ended up only binding the IPA UI to a loop back with Apache and then an NGINX reverse proxy handles the traffic passthrough rules so I can have more control over what actually gets exposed and block the things that are a security problem.
Then, using mokey as a base, I stood up a self-service portal at:
https://accounts.silogroup.org
I added some features to it and branded it. It is at this point no longer mokey but something based on Mokey, as, there were a ton of security problems under the hood that had to be fixed — exposing mokey to the public without these changes is genuinely just a time bomb waiting to happen. It’s written in Go, and I really don’t code in Go, but, the libraries were surprisingly mature and it turned out great.
Then recreating all the servers with the new stig image, creating a new commons for hosting the bajillion seprate sites I had going through virtualhosts, then hardening those, then joining the various services to my IPA either directly where they support it or via LDAP.
Then moved the SCM from source.silogroup.org to git.silogroup.org, migrated the data, joined it, hardened that, themed it. It turned out well:
I ended up with a pretty cohesive and integrated infrastructure for SILO that allows people to sign up and request access, so, I think this is going to be a long term configuration designed for efficient growth. I’m pleased with the results. This gives it all a clean slate to maintain a little easier, as, since these services were sprung up organically over, what — since 2014? 12 years of organic spawl deserves a rebuild.
Cleaned up email on the silogroup.org domains. This was the hardest part of the refresh, honestly. Google has wrecked email security for everyone by having such a large footprint and requiring such brutal precision with DKIM, SPF, and _DMARC records, but, email reliability should be fantastic now.
Those are the things I’m willing to talk about. There are still some observability quirks and operational shortcomings not worked out, that would otherwise be unacceptable to be missing in an enterprise environment, but the goal right now is reducing that financial footprint and designing for building out the next wave of items. This does both of those and gets us through the hurdle.
That hurdle, anyway. Next is 2 other hurdles I’ve been avoiding for a little over a month.
I’ve turned my living room into a gym. Baby steps and patience wins. I’ve gained some weight over the last few years.
All this theming was exhausting. That it turned out okay is just pure luck. I have no business whatsoever doing frontend/ui work, so I’m glad I can move on from it now.’
From here it’s time for my 2 big hurdles to start being addressed, redo the house, mix up the routine a bit, and on the SILO front, gearing up for:
- Introducing package management finally.
- Building the installer image.
Soon.