diff --git a/docs/TASKS.md b/docs/TASKS.md index a7e8416..4438ce0 100644 --- a/docs/TASKS.md +++ b/docs/TASKS.md @@ -1,9 +1,91 @@ # aXion1337.Chat – Task List & Meilensteine +**Last Updated**: 2026-05-14 **Statusübersicht**: [✅ 6 Abgeschlossen] [🔄 1 In Progress] [📋 15+ Pending] [🔒 10 Security] --- +## 📊 Status Summary (Quick View) + +| Kategorie | Count | Status | Details | +|-----------|-------|--------|---------| +| **Completed** | 6 | ✅ Done | K3S, Flux, ESS, Themes, Desktop, Monitoring, TURN | +| **In Progress** | 1 | 🔄 Blocked | Authentik Stage 2 (awaiting manual config) | +| **Backlog** | 15+ | 📋 Pending | Element Call Fork, DB Backups, NetworkPolicies, etc. | +| **Security Tasks** | 10 | 🔒 Pending | Firewall, SSH, auditd, Kernel hardening, CrowdSec, Falco | + +### Priority Distribution + +| Priority | Count | Timeline | +|----------|-------|----------| +| 🔴 **CRITICAL** | 3 | This week | +| 🟠 **HIGH** | 4 | 1–2 weeks | +| 🟡 **MEDIUM** | 8 | ~1 month | +| 🟢 **LOW** | 4+ | Nice-to-have | + +--- + +## 🎯 Next Steps (Priorisiert) + +### 🔴 **THIS WEEK – CRITICAL** +1. **Authentik Stage 2 abschließen** + - Manual: OIDC Provider + Application in Authentik UI erstellen + - Code: `upstream_oauth2_config` in `mas-secret.yaml` einfügen + - Code: `passwords: enabled: false` aktivieren + - Commit: `enable-authentik-oidc-integration-in-mas` + - Est. Time: 1–2 hours + - Blocker: Manual Authentik config (user action) + +2. **Hetzner Cloud Firewall – Default-Deny Setup** + - Ingress: Allow 80/443 only + - Allow SSH from your IP or via WireGuard/Tailscale + - Est. Time: 30 min + - Cost: Free + - Impact: Blocks 99% of internet background noise + +3. **SSH Hardening** + - Disable password auth (key-only) + - Disable root login + - MaxAuthTries 3 + - Est. Time: 1–2 hours + - Priority: HIGH + +4. **Database Backup Strategy – Decision & First Backup** + - Decision: CloudNativePG (on K3S) or Hetzner Postgres (managed)? + - Setup: Daily automated backups + - Setup: Off-site storage (S3 / Storage Box) + - Setup: Monthly verified restores + - Est. Time: 2–3 days + - Priority: CRITICAL (disaster recovery) + +### 🟠 **NEXT 1–2 WEEKS – HIGH** +1. **Authentik End-to-End Test** + - Test: Login flow Element → MAS → Authentik → Matrix User + - Test: Password reset + - Create: Test invite links + - Est. Time: 2 hours + +2. **Element Call Fork** + - Fork: element-hq/element-call + - Feature: Video/audio constraints parameters + - Integration: Synapse well-known config + - Est. Time: 2–3 days + +3. **External PostgreSQL Migration** + - Decision: CloudNativePG vs. Hetzner Postgres + - Setup: HA + Replication + - Migration: Move data from ESS embedded Postgres + - Testing: Verify all services work + - Est. Time: 1–2 days + +4. **NetworkPolicies Deployment** + - Create: Default-Deny for `matrix` namespace + - Create: Allow rules (Synapse↔Postgres, MAS↔Postgres, Ingress→Web, etc.) + - Test: Ensure no service breakage + - Est. Time: 1 day + +--- + ## ✅ Abgeschlossene Aufgaben (Chronologisch) ### Phase 1: Basis-Setup