In general I’m a big fan of using free cloud-hosted solutions wherever it makes sense to do so, the only issue is making sure it can be secured, authn/authz handled in a uniform way, etc.
GitHub can do that, it does SAML-based SSO if you choose. If I’m honest, I really like Actions, it stores secrets, it integrates with everything, I wouldn’t take much convincing to plan around GitHub, provided we solve the security piece.
I personally would prefer that as it takes a good chunk of concert off the infrastructure side, SSO can be configured easily as well as 2FA on the accounts security rules can be set to require code reviews and everything else. I think there is more of a visibility problem (Its not open source) with using github than any random functionality issue anyone can come up with.
AFAIK development of pagure.io is no longer a priority. I would suggest https://gitea.io as it’s easy to self-host and has 2FA. You can always push to gitlab as a mirror.
Ipsilon was last updated in 2017, Keycloak might be the better option. Also http://www.privacyidea.org/ might be an idea (fork of LinOTP).
I am using privacyidea with shibboleth/SAML , it is great but requires it is own maintenance and whatever will consume it for 2FA , needs to support it, FreeIPA on the other hand uses Radius ASAIK and I never used Keycloack to be honest but iwas so close to give it a go.
I should note FreeIPA doesn’t need radius for 2FA. It has it’s own built in mechanism.
These are all great monitoring tool choice but I think to get closer to the right fit, we may need to list out the top 10 to 15 things we want to capture. That may help this tool rise to the top on its own.
Why is the group looking to self-host much of these items when we are trying to get this off-the-ground?
Other than infra to build, what other infra is really NEEDED?
Github (for better or for worse) is where almost everyone is at, so getting contributors will be easier. Github provides bug tracking/issues/ticketing and github pages can work as wiki.
Then we are down to what the build system needs:
Config management => Ansible
Authentication => FreeIPA/Keycloak
DNS => FreeIPA
Monitoring => Prometheous/TICK stack + grafana
Apologies if I missed some key conversation that explained why all of this should be self-hosted.
I guess we are here because we lost control (expectations) of CentOS which we were depending on. Let’s learn from this and not rely on third parties which could pull the plug at any notice. Remember how github did that with youtube-dl? So let’s not use github although it might have all the bells and whistles. Instead choose what provides independence. Perhaps this comes at a price of having to maintain infrastructure. But isn’t that worth it to prevent another CentOS?
We have some customers that have Keycloak fronting FreeIPA. Seems to work out ok.
ya, but isn’t the internal mechanism is actually a radius server?
No, it is not a radius server. You do not install radius when installing FreeIPA nor when configuring OTP inside of FreeIPA.
Yes, I totally agree with you. Correctly identifying the requirements is first priority.
Oh ya, you are right, I needed the Radius for shibboleth…
Throwing in https://github.com/netdata/netdata as more modern option
About dedicated hosts: I used to work on OpenStack projects and it’s quite a beast that requires it’s own specialized support team. For KISS’ sake it’s probably easier to start with baremetal running VMs via libvirtd/kvm.
Bug Tracking/Repository/CI: I’ve used GitHub, GitLab and BitBucket and I would chose GitLab from all of them currently. Easiest to use, best features and great CI (yes, GitHub has now GitHub Actions). (please no Jenkins) - but GitLab is the easiest - everything in one place, so less systems to manage - Repository, Wiki, CI, Task Management, and others. GitLab guys also offer free GitLab license for open source projects, maybe they wish to help.
Automation/Orchestration: SaltStack is great for automation and have many advantages over Ansible - especially for project like this where it may change so fast - it’ll keep all systems in desired state all the time what you can’t do with Ansible (unless using AWS and some other stuff) - and it’s also faster than Ansible 
But it can look also for events on systems if needed (which Ansible cannot do at all)
Monitoring: Prometheus + Grafana is nice, but it lacks some features. Some Nagios/Icinga/Zabbix with status-monitoring (next to metrics monitoring) would be very helpful. I’ve used only Nagios/Icinga 1 so far for that.
About OpenStack, totally agree with @patrick — I have been in a team creating and managing OpenStack cluster. You can’t do that without team specialized for OpenStack, it’s just too huge. I would be happy to use it, but for the beginning it’s too big.
why no jenkins? it is IMHO one of the most flexible and scalable solutions.
Overcomplicated 
I’m using it in current company, and comparing to GitLab, it’s hell. You might say that GitLab has limited features comparing with Jenkins, but actually you can do most of the stuff you would do in Jenkins and in simplier manner. And it’s scalable too.
And again: easier to manage one tool than multiple.
Jenkins boxes are also fairly needy and require additional infra for an unclear payoff when there are so many viable products in this space that don’t need it.
hmm, i would not agree on that, we are heavenly using jenkins and i do not see what would make it complicated. and yes, comparing gitlab ci with jenkins… then jenkins wins.