More work on task planning and organization

tasks/docs/restic-example.md

@@ -1,7 +1,7 @@
 ---
 type: task
 after:
-  - /soon/drafts/chest-management.md
+  - /drafts/chest-management.md
 ---
 
 # Restic Example

tasks/nats/add.md

@@ -1,5 +1,5 @@
 ---
-type: tasks
+type: task
 ---
 
 Introduce [NATS][nats] as a new service run by Isle. All hosts should join the

tasks/nats/garage-watcher.md

@@ -1,11 +1,11 @@
 ---
-type: tasks
+type: task
 after:
-  - ./add.md
+  - ./pubsub.md
 ---
 
 A simple mechanism should be developed which "watches" a garage directory or
-file for changes. This mechanism has too sides.
+file for changes. This mechanism has two sides.
 
 ## Producer
 

tasks/nats/pubsub.md

@@ -0,0 +1,9 @@
+---
+type: task
+after:
+  - ./add.md
+---
+
+Every host should be able to listen to and publish to pubsub channels on NATS.
+All messages should be signed by their sending host, and all receiving hosts
+should verify these signatures.

tasks/nats/rpc.md

@@ -0,0 +1,13 @@
+---
+type: task
+after:
+  - ./add.md
+---
+
+A general RPC mechanism should be developed which allows one group of hosts to
+handle RPC calls made by other hosts. Each RPC request should be signed by the
+host which is making it, and the response should be signed and encrypted by the
+responder.
+
+The JSONRPC2 framework already developed for communication between CLI and
+daemon can be re-used here.

tasks/remove-host/by-admin.md

@@ -0,0 +1,15 @@
+---
+type: task
+after:
+  - ./watch-hosts.md
+---
+
+When a host is removed by a network admin, the admin's daemon should modify that
+host's file in the common bucket, changing the HostAssigned section to indicate
+that the host is no longer present in the network.
+
+All other hosts in the network, when a host is updated with an indication that
+it's no longer present in the network, should add that host's certificate
+fingerprint to the `pki.blocklist` of their local nebula instance.
+
+The `pki.disconnect_invalid` boolean should always be true in the nebula config.

tasks/remove-host/by-host.md

@@ -0,0 +1,15 @@
+---
+type: task
+after:
+  - ./watch-hosts.md
+---
+
+When is removed by the host itself, the host's daemon should modify its file in
+the common bucket, changing the HostConfigured section to indicate that the host
+is no longer present in the network.
+
+All other hosts in the network, when a host is updated with an indication that
+it's no longer present in the network, should add that host's certificate
+fingerprint to the `pki.blocklist` of their local nebula instance.
+
+The `pki.disconnect_invalid` boolean should always be true in the nebula config.

tasks/remove-host/watch-hosts.md

@@ -0,0 +1,11 @@
+---
+type: task
+after:
+  - /nats/garage-watcher.md
+---
+
+Hosts should use the garage watcher both when updating and pulling updates to
+host information in the common bucket.
+
+If a host's data is not actually changing then it should not notify the garage
+watchers.

tasks/secrets/propagation/polling.md

@@ -1,5 +1,7 @@
 ---
-type: tasks
+type: task
+after:
+  - /nats/garage-watcher.md
 ---
 
 Secrets which are placed in the global bucket according to the

tasks/secrets/propagation/putting.md

@@ -1,5 +1,5 @@
 ---
-type: tasks
+type: task
 after:
   - ./polling.md
 ---

tasks/soon/drafts/certificate-revocation.md

@@ -1,9 +0,0 @@
----
-type: task
----
-
-# Certificate Revocation Propagation
-
-When a host is removed from the network the admin host which removed it should
-publish a revocation certificate for its old certificate, so that other hosts
-know to no longer trust it.