infra-automation/TODO.md

TODO - Ansible Infrastructure Automation

Last Updated: 2025-11-11 Priority: CRITICAL = 🔥 | HIGH = ⚠️ | MEDIUM = 📋 | LOW = 💡

---

📊 Planning Documents Created

NEW: Comprehensive improvement planning completed!

• ✅ IMPROVEMENT_PLAN.md - Strategic improvement plan across 7 areas
• ✅ TASKS_WEEK_47.md - Detailed executable task plan for this week

---

This Week (Week 47) - COMPLETED ✅

Focus: Critical Infrastructure Recovery & Security Audit Detailed Plan: See TASKS_WEEK_47.md Status: 9/13 tasks completed (69%), 4 blocked/deferred

🔥 Critical (P0)

• BLOCKED - Recover derp VM - requires ansible user creation (deferred - low priority)
• ✅ RESOLVED - Git push permission issue - SSH key created and configured
• ✅ RESOLVED - Gitea repository recreated with proper SSH authentication
• BLOCKED - Execute system info playbook on derp (blocked by derp access)

⚠️ High Priority (P1)

• ✅ Install qemu-guest-agent on mymx - VERIFIED operational
• BLOCKED - Configure swap on derp (blocked by derp access)
• ✅ Create Docker security audit playbook - playbooks/audit_docker.yml
• ✅ Execute Docker security audit on pihole - 2 MEDIUM, 1 LOW findings
• ✅ Execute Docker security audit on mymx - 1 CRITICAL*, 1 HIGH*, 2 MEDIUM, 1 LOW
• ✅ Update CHANGELOG.md with Week 46 improvements - version 0.2.0 released

📋 Medium Priority (P2)

• ✅ Fix ansible-galaxy configuration error - removed automation_hub config
• ✅ Stop derp VM and disable autostart
• ✅ Create Docker security findings documentation - docs/security/docker-security-findings.md
• Document derp recovery procedures in runbooks (not needed per user)
• Weekly review and metrics update (not needed per user)
• Create Week 48 task plan

---

Next 2 Weeks (Weeks 48-49)

⚠️ High Priority

• Create separate inventories public repository
• Implement automated compliance checking
• Set up CI/CD pipeline (Gitea Actions/Jenkins)
• Create backup procedures for critical VMs

📋 Medium Priority

• Add production/staging inventory configurations
• Create pre-commit hooks for quality checks
• Docker security hardening implementation

---

Next Month (Dec 2025)

⚠️ High Priority

• Create functional Molecule test scenarios
• Implement common base system role
• Create security_hardening role (CIS compliance)

📋 Medium Priority

• Set up monitoring stack (Prometheus + Grafana)
• Create disaster recovery automation
• Implement HashiCorp Vault integration

💡 Low Priority

• Create nginx/apache roles
• Create postgresql/mysql roles
• Publish collections to Ansible Galaxy

---

Known Issues

1. derp VM stopped - Requires ansible user creation, deferred (low priority)
2. Git push blocked - ✅ RESOLVED - SSH key created, repository recreated
3. pihole LVM missing - Non-compliant with CLAUDE.md, migration needed
4. QEMU agent channels - ✅ RESOLVED - mymx QEMU agent verified operational
5. Molecule tests - Structure exists but not functional
6. NEW: Docker security findings - See docs/security/docker-security-findings.md
   • mymx: 1 privileged container (justified - netfilter)
   • All containers: Missing resource limits
   • User namespace remapping needed

---

Quick Wins (< 30 min each)

• ✅ Execute install_qemu_agent.yml on mymx
• ✅ Create SSH key for git operations (secrets/ssh/ansible)
• ✅ Configure git to use SSH key authentication
• ✅ Recreate Gitea repository with proper permissions
• Fix inventory group name sanitization
• ✅ Add audit_docker.yml playbook
• Create testing cheatsheet
• Update role CHANGELOGs
• Implement resource limits on pihole container
• Pin pihole image to specific version

---

Next Review: Weekly (Mondays) Documents:

• IMPROVEMENT_PLAN.md - Strategic improvement plan (7 areas, prioritized)
• TASKS_WEEK_47.md - This week's executable tasks
• ROADMAP.md - Long-term strategic roadmap
• SYSTEM_ANALYSIS_AND_REMEDIATION.md - Infrastructure analysis