Extended Management Plane #
Extended management services for the dvntm (mobile) site β logging, telemetry, alerting, secrets, and identity. Builds on the core substrate once it is operational.
- GitHub: https://github.com/deevnet/ansible-collection-deevnet.mgmt
- Documentation: https://deevnet.github.io/deevnet-docs/
Legend: β Complete | π In Progress | β³ Planned
Project Vision & Scope #
Deploy a unified management plane providing observability, security, and identity services for all substrate components, running as tenants on the Proxmox hypervisor.
In Scope
- Centralized logging aggregation and search
- Metrics collection and telemetry
- Alerting and notification
- Secrets management
- Identity and access management
- Ansible automation via
deevnet.mgmtcollection
Out of Scope
- Application-specific monitoring (handled per-tenant)
- External identity federation (future phase)
- Multi-site federation
Requirements β³ #
- β³ Define service selection criteria
- β³ Define retention policies (logs, metrics)
- β³ Define alerting channels and escalation
- β³ Define secrets access policies
- β³ Define identity/RBAC model
Centralized Logging β³ #
Aggregate logs from all substrate hosts and services.
- β³ Evaluate logging stack (Loki, Elasticsearch, etc.)
- β³ Deploy log aggregation service
- β³ Configure log shipping from hosts (Promtail, Filebeat, etc.)
- β³ Deploy log visualization (Grafana, Kibana)
- β³ Define log retention and rotation
Telemetry β³ #
Collect metrics from infrastructure and services.
- β³ Evaluate metrics stack (Prometheus, VictoriaMetrics, etc.)
- β³ Deploy metrics collection service
- β³ Configure exporters on substrate hosts
- β³ Deploy dashboards (Grafana)
- β³ Define metrics retention
Alerting β³ #
Proactive notification of issues.
- β³ Evaluate alerting solutions (Alertmanager, Grafana Alerting)
- β³ Deploy alerting service
- β³ Define alert rules for infrastructure
- β³ Configure notification channels (email, webhook, etc.)
Secrets Management β³ #
Secure storage and distribution of credentials.
Interim: Ansible Vault encrypts secrets at rest in inventory (group_vars/*/vault.yml), unlocked at runtime via --ask-vault-pass. This eliminates env var export workflows and keeps secrets encrypted in git.
- β Migrate IaC secrets from env var lookups to Ansible Vault in inventory
- β³ Evaluate dedicated secrets solutions (Vault, SOPS, etc.)
- β³ Deploy secrets management service
- β³ Integrate with Ansible for secret injection
- β³ Define secrets rotation policies
Identity Management β³ #
Centralized authentication and authorization.
- β³ Evaluate identity solutions (Keycloak, Authentik, etc.)
- β³ Deploy identity provider
- β³ Configure SSO for infrastructure services
- β³ Define RBAC policies
Build Verification β³ #
Automated verification that the site was built according to inventory and is fully functional. Produces a single report proving build correctness.
- β³ Inventory conformance checks (running state matches inventory definitions)
- β³ Network connectivity matrix (verify all expected paths work)
- β³ Service health checks (DNS, DHCP, PXE, Proxmox API)
- β³ Hardware validation (MAC addresses, IP assignments match inventory)
- β³ Build report generation (consolidated pass/fail with evidence)
Documentation β³ #
- β³ Management plane architecture overview
- β³ Service deployment runbook
- β³ Operations and troubleshooting guide