Skip to main content 
Devops
- Plan Your Pi Cluster
- Prepare the First Node
- Launch DSPACE in Docker
- Set Up a CI Pipeline
- Deploy with k3s
- Set Up Monitoring
- Enable Automatic Updates
- Configure Daily Backups
- Secure the Cluster with HTTPS
- Configure Firewall Rules
- Set Up Log Rotation
- Run a Private Docker Registry
- Boot from SSD
- Harden SSH Access
- Block SSH Brute Force
- Quest link: /quests/devops/pi-cluster-hardware
- Unlock prerequisite:
requiresQuests:sysadmin/basic-commands
- Dialogue
requiresItemsgates:start→ "Start the parts and risk review." - no item gate (planning/procurement step)bom→ "All required parts are staged." - Raspberry Pi 5 board ×1, M.2 PoE+ HAT ×1, 1TB 2230 M.2 SSD ×1, 64GB microSD card ×1, PoE+ switch ×1, Ethernet cable ×1, fan case ×1, hardware worksheet artifact (journalctl report×1)strategy→ both strategy options require a hardware worksheet artifact (journalctl report×1)troubleshoot→ "Updated BOM ready. Re-check hardware readiness." - incident log extract ×1verify/finish→ worksheet artifact (journalctl report×1)
- Grants:
- Dialogue options/steps grantsItems: None
- Quest-level
grantsItems: None
- Rewards:
- basic shell operator badge ×1
- Processes used:
- sysadmin-logs-export-journalctl-report
- Requires: Laptop Computer ×1
- Consumes: none
- Creates: journalctl report ×1
- sysadmin-logs-tail-incident-extract
- Requires: journalctl report ×1
- Consumes: none
- Creates: incident log extract ×1
- sysadmin-logs-export-journalctl-report
- Quest link: /quests/devops/prepare-first-node
- Unlock prerequisite:
requiresQuests:devops/pi-cluster-hardware
- Dialogue
requiresItemsgates:start→ "Begin preflight and flash workflow." - 64GB microSD card ×1, Raspberry Pi 5 board ×1preflight→ "Card flashed and first boot complete." - flashed microSD card ×1update→ both update paths require Raspberry Pi 5 board ×1docker→ Docker verification artifact (journalctl report×1)verify/finish→ Docker verification artifact (journalctl report×1), flashed microSD card ×1recover→ "System stabilized; re-run update and install path." - incident log extract ×1
- Grants:
- Dialogue options/steps grantsItems: None
- Quest-level
grantsItems: None
- Rewards:
- observability checkpoint badge ×1
- Processes used:
- flash-sd-card
- Requires: Laptop Computer ×1
- Consumes: 64GB microSD card ×1
- Creates: flashed microSD card ×1
- sysadmin-logs-export-journalctl-report
- Requires: Laptop Computer ×1
- Consumes: none
- Creates: journalctl report ×1
- sysadmin-logs-tail-incident-extract
- Requires: journalctl report ×1
- Consumes: none
- Creates: incident log extract ×1
- flash-sd-card
- Quest link: /quests/devops/docker-compose
- Unlock prerequisite:
requiresQuests:devops/prepare-first-node
- Dialogue
requiresItemsgates:start→ "Run preflight before launching." - Pi cluster node ×1, Laptop Computer ×1preflight→ "Preflight complete; launch containers." - Pi cluster node ×1launch→ "Services are healthy locally; configure tunnel." - Pi cluster node ×1tunnel→ "Tunnel fails health check or leaks origin." - PoE+ switch ×1, Ethernet cable ×1tunnel→ "Tunnel is healthy and origin access is restricted." - PoE+ switch ×1, Ethernet cable ×1recover→ "Remediation complete; rerun tunnel validation." - Pi cluster node ×1finish→ "Document this deployment runbook." - PoE+ switch ×1, Ethernet cable ×1
- Grants:
- Dialogue options/steps grantsItems: None
- Quest-level
grantsItems: None
- Rewards:
- incident response analyst badge ×1
- Processes used:
- run-docker-compose
- Requires: Pi cluster node ×1
- Consumes: none
- Creates: none
- create-cloudflare-tunnel
- Requires: PoE+ switch ×1, Ethernet cable ×1
- Consumes: none
- Creates: none
- run-docker-compose
- Quest link: /quests/devops/ci-pipeline
- Unlock prerequisite:
requiresQuests:devops/docker-compose
- Dialogue
requiresItemsgates:start→ "Define CI safety policy first." - Laptop Computer ×1policy→ "Policy documented; author the workflow." - Laptop Computer ×1author→ "Workflow added; collect first run evidence." - CI workflow file ×1verify→ "Run failed or branch protections are missing." - CI workflow file ×1verify→ "Checks are enforced and green." - CI workflow file ×1recover→ "Fix applied; verify the rerun evidence." - CI workflow file ×1finish→ "Ship with confidence." - CI workflow file ×1
- Grants:
- Dialogue options/steps grantsItems: None
- Quest-level
grantsItems: None
- Rewards:
- basic shell operator badge ×1
- Processes used:
- create-ci-workflow
- Requires: GitHub repository ×1
- Consumes: none
- Creates: CI workflow file ×1
- create-ci-workflow
- Quest link: /quests/devops/k3s-deploy
- Unlock prerequisite:
requiresQuests:devops/docker-compose
- Dialogue
requiresItemsgates:start→ "Let's stage it safely." - Pi cluster node ×1, Laptop Computer ×1install→ "Cluster install complete." - Pi cluster node ×1verify→ "Nodes healthy and report captured." - journalctl report ×1rollback→ "Rollback complete; retry install with corrected settings." - Pi cluster node ×1
- Grants:
- Dialogue options/steps grantsItems: None
- Quest-level
grantsItems: None
- Rewards:
- basic shell operator badge ×1
- Processes used:
- join-k3s-cluster
- Requires: Pi cluster node ×1
- Consumes: none
- Creates: none
- sysadmin-logs-export-journalctl-report
- Requires: Laptop Computer ×1
- Consumes: none
- Creates: journalctl report ×1
- join-k3s-cluster
- Quest link: /quests/devops/monitoring
- Unlock prerequisite:
requiresQuests:devops/k3s-deploy
- Dialogue
requiresItemsgates:install→ "Dashboards are loading and metrics are scraping." - external backup SSD ×1verify→ "Snapshot meets thresholds. Compile the monitoring logbook artifact." - external backup SSD ×1, Pi cluster node ×1, Laptop Computer ×1verify→ "Anomaly detected (alerts firing or scrape gaps). Enter incident triage with log export access." - Laptop Computer ×1incident→ "Incident report and extract captured. Choose the remediation path." - journalctl report ×1, incident log extract ×1classify→ all remediation exits require incident log extract ×1logbook→ "Logbook complete with thresholds, cadence, and evidence archive." - journalctl report ×1, external backup SSD ×1
- Grants:
- Dialogue options/steps grantsItems: None
- Quest-level
grantsItems: None
- Rewards:
- observability checkpoint badge ×1
- Processes used:
- install-monitoring-stack
- Requires: Pi cluster node ×1
- Consumes: none
- Creates: external backup SSD ×1
- sysadmin-logs-tail-incident-extract
- Requires: journalctl report ×1
- Consumes: none
- Creates: incident log extract ×1
- sysadmin-logs-export-journalctl-report
- Requires: Laptop Computer ×1
- Consumes: none
- Creates: journalctl report ×1
- install-monitoring-stack
- Quest link: /quests/devops/auto-updates
- Unlock prerequisite:
requiresQuests:devops/monitoring
- Dialogue
requiresItemsgates:start→ "Define maintenance constraints." - Pi cluster node ×1, Laptop Computer ×1window→ "Window documented; stage config." - Pi cluster node ×1, Laptop Computer ×1stage→ "Config staged; run verification dry run." - Pi cluster node ×1, unattended-upgrades config ×1verify→ "Dry run reports held packages or unsafe reboot timing." - auto-update health report ×1verify→ "Verification evidence is clean." - auto-update health report ×1recovery→ "Mitigation applied; re-run verification window." - auto-update health report ×1finish→ "Queue the next maintenance window." - auto-update health report ×1
- Grants:
- Dialogue options/steps grantsItems: None
- Quest-level
grantsItems: None
- Rewards:
- basic shell operator badge ×1
- Processes used:
- configure-unattended-upgrades
- Requires: Pi cluster node ×1, Laptop Computer ×1
- Consumes: none
- Creates: unattended-upgrades config ×1
- verify-unattended-upgrades
- Requires: unattended-upgrades config ×1, Pi cluster node ×1
- Consumes: none
- Creates: auto-update health report ×1
- configure-unattended-upgrades
- Quest link: /quests/devops/daily-backups
- Unlock prerequisite:
requiresQuests:devops/monitoring
- Dialogue
requiresItemsgates:start→ "Plan backup cadence and retention." - external backup SSD ×1, Pi cluster node ×1stage→ "Backup job staged; run verification." - external backup SSD ×1verify→ "Restore test failed or logs show checksum mismatch." - journalctl report ×1verify→ "Restore drill passed with complete evidence." - journalctl report ×1recover→ "Corrected. Re-run backup + restore verification." - incident log extract ×1finish→ "Lock in the backup SOP." - journalctl report ×1
- Grants:
- Dialogue options/steps grantsItems: None
- Quest-level
grantsItems: None
- Rewards:
- basic shell operator badge ×1
- Processes used:
- configure-daily-backups
- Requires: Pi cluster node ×1, external backup SSD ×1
- Consumes: none
- Creates: none
- sysadmin-logs-export-journalctl-report
- Requires: Laptop Computer ×1
- Consumes: none
- Creates: journalctl report ×1
- sysadmin-logs-tail-incident-extract
- Requires: journalctl report ×1
- Consumes: none
- Creates: incident log extract ×1
- configure-daily-backups
- Quest link: /quests/devops/enable-https
- Unlock prerequisite:
requiresQuests:devops/daily-backups
- Dialogue
requiresItemsgates:start→ "Console access confirmed. Stage certbot." - Pi cluster node ×1, auto-update health report ×1provision→ "Certificates minted." - Pi cluster node ×1, auto-update health report ×1verify→ "TLS health verified with clean chain and renewal output." - TLS certificate bundle ×1, Pi cluster node ×1rollback→ "Rollback checks captured. Decide whether to retry issuance or pause." - Pi cluster node ×1 (rollback evidence captured via HTTPS health check output)rollback-verify→ "Rollback is stable. Retry certificate provisioning." - HTTPS service check ×1, Pi cluster node ×1finish→ "Document the renewal schedule." - HTTPS service check ×1
- Grants:
- Dialogue options/steps grantsItems: None
- Quest-level
grantsItems: None
- Rewards:
- incident response analyst badge ×1
- Processes used:
- request-letsencrypt-cert
- Requires: auto-update health report ×1, Pi cluster node ×1
- Consumes: none
- Creates: TLS certificate bundle ×1
- verify-https-service
- Requires: TLS certificate bundle ×1, Pi cluster node ×1
- Consumes: none
- Creates: HTTPS service check ×1
- request-letsencrypt-cert
- Quest link: /quests/devops/firewall-rules
- Unlock prerequisite:
requiresQuests:devops/auto-updates
- Dialogue
requiresItemsgates:start→ "Access map documented. Apply baseline rules." - Pi cluster node ×1, Laptop Computer ×1setup→ "Rules applied and node still reachable." - Pi cluster node ×1, Laptop Computer ×1verify→ "Only expected ports respond and SSH remains healthy." - Pi cluster node ×1
- Grants:
- Dialogue options/steps grantsItems: None
- Quest-level
grantsItems: None
- Rewards:
- basic shell operator badge ×1
- Processes used:
- configure-ufw-firewall
- Requires: Laptop Computer ×1, Pi cluster node ×1
- Consumes: none
- Creates: none
- configure-ufw-firewall
- Quest link: /quests/devops/log-maintenance
- Unlock prerequisite:
requiresQuests:devops/daily-backups
- Dialogue
requiresItemsgates:start→ "Set the logging policy." - external backup SSD ×1, Laptop Computer ×1capture→ "Threshold exceeded or report missing fields." - journalctl report ×1capture→ "Snapshot passes thresholds." - journalctl report ×1anomaly→ "Corrective action applied; run follow-up verification window." - incident log extract ×1
- Grants:
- Dialogue options/steps grantsItems: None
- Quest-level
grantsItems: None
- Rewards:
- incident response analyst badge ×1
- Processes used:
- configure-daily-backups
- Requires: Pi cluster node ×1, external backup SSD ×1
- Consumes: none
- Creates: none
- sysadmin-logs-export-journalctl-report
- Requires: Laptop Computer ×1
- Consumes: none
- Creates: journalctl report ×1
- sysadmin-logs-tail-incident-extract
- Requires: journalctl report ×1
- Consumes: none
- Creates: incident log extract ×1
- configure-daily-backups
- Quest link: /quests/devops/private-registry
- Unlock prerequisite:
requiresQuests:devops/docker-compose
- Dialogue
requiresItemsgates:start→ "Define storage and access policy." - Pi cluster node ×1, Laptop Computer ×1plan→ "Policy documented. Deploy registry stack." - Pi cluster node ×1deploy→ "Service running. Validate push/pull and persistence." - Pi cluster node ×1verify→ "Push/pull failed or image disappeared after restart." - journalctl report ×1verify→ "Verification passed with retained image state." - journalctl report ×1recovery→ "Mitigation in place. Re-run push/pull validation." - incident log extract ×1finish→ "Publish the cluster image policy." - journalctl report ×1
- Grants:
- Dialogue options/steps grantsItems: None
- Quest-level
grantsItems: None
- Rewards:
- basic shell operator badge ×1
- Processes used:
- run-docker-compose
- Requires: Pi cluster node ×1
- Consumes: none
- Creates: none
- sysadmin-logs-export-journalctl-report
- Requires: Laptop Computer ×1
- Consumes: none
- Creates: journalctl report ×1
- sysadmin-logs-tail-incident-extract
- Requires: journalctl report ×1
- Consumes: none
- Creates: incident log extract ×1
- run-docker-compose
- Quest link: /quests/devops/ssd-boot
- Unlock prerequisite:
requiresQuests:devops/prepare-first-node
- Dialogue
requiresItemsgates:start→ "Begin SSD migration plan." - flashed microSD card ×1, 1TB 2230 M.2 SSD ×1baseline→ "Baseline captured; start clone." - journalctl report ×1clone→ "Clone complete; prep hardware cutover." - bootable 1TB SSD ×1mount→ "Node is online; verify root device and performance." - Pi cluster node ×1verify/finish→ Pi cluster node ×1 + journalctl report ×1recoverretry paths require incident log extract ×1
- Grants:
- Dialogue options/steps grantsItems: None
- Quest-level
grantsItems: None
- Rewards:
- incident response analyst badge ×1
- Processes used:
- clone-os-to-ssd
- Requires: none
- Consumes: flashed microSD card ×1, 1TB 2230 M.2 SSD ×1
- Creates: bootable 1TB SSD ×1
- assemble-pi-node
- Requires: none
- Consumes: Raspberry Pi 5 board ×1, M.2 PoE+ HAT ×1, bootable 1TB SSD ×1, fan case ×1
- Creates: Pi cluster node ×1
- sysadmin-logs-export-journalctl-report
- Requires: Laptop Computer ×1
- Consumes: none
- Creates: journalctl report ×1
- sysadmin-logs-tail-incident-extract
- Requires: journalctl report ×1
- Consumes: none
- Creates: incident log extract ×1
- clone-os-to-ssd
- Quest link: /quests/devops/ssh-hardening
- Unlock prerequisite:
requiresQuests:devops/firewall-rules
- Dialogue
requiresItemsgates:start→ "Ready with laptop and node." - Laptop Computer ×1, Pi cluster node ×1keys→ "Key auth works in a second shell." - Pi cluster node ×1, Laptop Computer ×1verify→ "Key login failed or access is unstable." - journalctl report ×1verify→ "Policy verified with evidence." - journalctl report ×1recovery→ "Recovery complete; re-run verification." - incident log extract ×1
- Grants:
- Dialogue options/steps grantsItems: None
- Quest-level
grantsItems: None
- Rewards:
- basic shell operator badge ×1
- Processes used:
- generate-ssh-key
- Requires: Laptop Computer ×1, Pi cluster node ×1
- Consumes: none
- Creates: none
- harden-sshd-config
- Requires: Pi cluster node ×1
- Consumes: none
- Creates: none
- sysadmin-logs-export-journalctl-report
- Requires: Laptop Computer ×1
- Consumes: none
- Creates: journalctl report ×1
- sysadmin-logs-tail-incident-extract
- Requires: journalctl report ×1
- Consumes: none
- Creates: incident log extract ×1
- generate-ssh-key
- Quest link: /quests/devops/fail2ban
- Unlock prerequisite:
requiresQuests:devops/ssh-hardening
- Dialogue
requiresItemsgates:start→ "Stage a fail2ban policy." - Pi cluster node ×1, Laptop Computer ×1start→ "Run a canary dry-run before cluster-wide rollout." - Pi cluster node ×1, Laptop Computer ×1canary→ "Canary evidence looks safe. Promote policy cluster-wide." - journalctl report ×1canary→ "Canary shows lockout risk with evidence captured. Enter recovery before rollout." - journalctl report ×1verify→ "Ban evidence exists, but false positives hit trusted admin sources." - journalctl report ×1stage→ "Policy staged; capture ban evidence." - Pi cluster node ×1verify→ "Ban evidence missing or admin access degraded." - journalctl report ×1verify→ "Ban telemetry and admin access both pass." - journalctl report ×1policy-tune→ "Tuning captured. Re-run controlled login failure tests." - incident log extract ×1recover→ "Mitigation applied; verify again." - incident log extract ×1finish→ "Keep fail2ban metrics in weekly ops review." - journalctl report ×1
- Grants:
- Dialogue options/steps grantsItems: None
- Quest-level
grantsItems: None
- Rewards:
- incident response analyst badge ×1
- Processes used:
- configure-ufw-firewall
- Requires: Laptop Computer ×1, Pi cluster node ×1
- Consumes: none
- Creates: none
- sysadmin-logs-export-journalctl-report
- Requires: Laptop Computer ×1
- Consumes: none
- Creates: journalctl report ×1
- sysadmin-logs-tail-incident-extract
- Requires: journalctl report ×1
- Consumes: none
- Creates: incident log extract ×1
- configure-ufw-firewall
- Cross-quest dependencies: follow quest unlocks in order; each quest above lists exact
requiresQuestsand inventory gates that must be present before completion paths appear. - Progression integrity checks: verify each process-backed step can be completed either by running the process or by satisfying the documented continuation gate items.
- Known pitfalls: repeated processes may generate stackable logs or outputs; validate minimum item counts on continuation options before skipping process steps.
Devops quests build practical progression through the devops skill tree. This page is a QA-oriented map of quest dependencies, process IO, and inventory gates.