diff options
| author | EuAndreh <eu@euandre.org> | 2021-01-16 14:11:36 -0300 |
|---|---|---|
| committer | EuAndreh <eu@euandre.org> | 2021-01-16 14:13:55 -0300 |
| commit | 7f1b1a193bfef0936cfb3f0aee368f0cf21f078f (patch) | |
| tree | 8d476ef3af0ceb87d64dc857cf190b5779c56df9 | |
| parent | Update tfstate file (diff) | |
| download | server-7f1b1a193bfef0936cfb3f0aee368f0cf21f078f.tar.gz server-7f1b1a193bfef0936cfb3f0aee368f0cf21f078f.tar.xz | |
Move from TODOs.rst to TODOs.md
| -rw-r--r-- | TODOs.md | 222 | ||||
| -rw-r--r-- | TODOs.rst | 297 | ||||
| -rwxr-xr-x | build-aux/assert-todos.sh | 10 | ||||
| -rwxr-xr-x | build-aux/workflow/TODOs.sh | 19 | ||||
| -rw-r--r-- | build-aux/workflow/preamble.md | 15 | ||||
| -rw-r--r-- | build-aux/workflow/preamble.rst | 20 | ||||
| -rw-r--r-- | build-aux/workflow/style.css | 50 |
7 files changed, 302 insertions, 331 deletions
diff --git a/TODOs.md b/TODOs.md new file mode 100644 index 0000000..cb3bdc0 --- /dev/null +++ b/TODOs.md @@ -0,0 +1,222 @@ +# Tasks + +## <span class="TODO"></span> Add proper "commit" role to TODOs.rst {#task-268afd29-d602-4f9c-9de8-348cc0b671fb} +- TODO in 2021-01-16 + +--- + +So that it links to CGit directly. + +## <span class="TODO"></span> Change base image away from default SSH port {#task-df87e340-4c35-469a-9bc1-fc57429a0b8e} +- TODO in 2021-01-16 + +--- + +## <span class="TODO"></span> Error when running `/var/lib/certbot/renew-certificates` on `guix deploy` {#task-723d9fcd-fdec-4f57-b774-2ed20599a714} +- TODO in 2021-01-16 + +--- + +## <span class="TODO"></span> Proper NGINX configuration {#task-da20aa03-3c74-4382-ba24-a9ea48334e00} +- TODO in 2021-01-16 + +--- + +- HTTP2 +- gzip +- cache everything, detect content changes? + +## <span class="TODO"></span> Cronjob: Duplicate tarballs in Git notes to static directory listing {#task-8fa7a0c2-4a27-4c56-9817-a47982995ade} +- TODO in 2021-01-16 + +--- + +This way it is easier to browse what tarballs are available. + +## <span class="TODO"></span> Is an `activation-service-type` what I want? {#task-56ccba06-fa8e-47b2-b014-44b4417ee072} +- TODO in 2021-01-16 + +--- + +I have the impression that these are the sources of errors when +rebooting the VPS. + +## <span class="TODO"></span> Provenance warning {#task-47992e04-038a-4528-9856-a25f60ebbb19} +- TODO in 2021-01-16 + +--- + +Fix provenance warning when running `guix deploy`. + +## <span class="TODO"></span> Try running on the Raspberry Pi {#task-bc537812-5f9d-4760-8c95-9ae933ecbd57} +- TODO in 2020-01-12 + +--- + +## <span class="TODO"></span> Use custom README converter {#task-ac19877b-55e3-48c8-8c3a-071124d23cd2} + +- TODO in 2021-01-12 +--- + +Convert `README` file using markdown instead of plain text. + +## <span class="DONE"></span> Add index.html on built website {#task-92d8ad8d-df93-49c1-8393-eb7147326c29} +- DONE in 2020-12-02 + + Generate index.html from README.md. Done in + `6d95acf144a4f2e48cb603af3a8032c172ceb53e`. + +- TODO in 2020-12-02 + +--- + +## <span class="TODO"></span> Test Guix deploy {#task-dee378cd-9e41-402b-9018-e9ebb05ef75d} +- TODO in 2020-12-02 + +--- + +## <span class="TODO"></span> External volume {#task-d76d4d2c-f07e-420b-8f30-28eb258494a6} +- TODO in 2020-11-30 + +--- + +```terraform +variable "storage_name" { + type = string + description = "Name of the block storage volume, which will also be the name of it's mount point." +} + +resource "vultr_block_storage" "vps_storage" { + size_gb = 10 + region_id = 9 + attached_id = vultr_server.vps_server.id + label = var.storage_name + live = "yes" +} +``` + +## <span class="TODO"></span> Backups {#task-708bcd4f-4574-4227-8737-fcb10621f1ec} +- TODO in 2020-11-30 + +--- + +If possible, put every data subfolder under the same folder, and just +backup the top-level folder. This also allows me to put it on an +external volum and grow it more easily. + +No real need to backup cgit, Jekyll, documetation and Cuirass, but +useful to have if available. + +The certificates should be backed up, so that restoring doesn't involve +re-creating everything from scratch. + +- [ ] Email +- [ ] XMPP +- [ ] Matrix +- [ ] Certificates + +## <span class="TODO"></span> Monitoring {#task-5f0457af-49dc-4122-83ff-a0604e3c6a02} +- TODO in 2020-11-30 + +--- + +- <https://mmonit.com/monit/> +- <https://collectd.org/> + +Reports via email. + +## <span class="TODO"></span> Intrusion prevention and detection {#task-ee160451-cfe8-49b2-a71f-6f1dca02cb9d} +- TODO in 2020-11-30 + +--- + +- <http://www.fail2ban.org/wiki/index.php/Main_Page> +- <http://rkhunter.sourceforge.net/> + +## <span class="TODO"></span> Security review {#task-f8a54acf-a417-4957-ac13-21df9a57ed4c} +- TODO in 2020-11-30 + +--- + +<https://cheatsheetseries.owasp.org/Glossary.html> + +## <span class="TODO"></span> Build new Guix image and document the steps {#task-7d57aa50-597e-4a86-b9d7-c2d84f53e1c6} +- TODO in 2020-11-29 + +--- + +Instead of syncing the `.bashrc` file, I should put my aliases in the +base image. + +Setup custom SSH port in the base image itself. + +## <span class="TODO"></span> Setup cgit {#task-43a7a634-84ec-41de-b243-c27fd4a44c25} +- TODO in 2020-11-30 + +--- + +- setup `README` file rendering +- force redirect HTTPS +- permanent redirect www and everything else to non-www + +## <span class="TODO"></span> Add email mcron job report {#task-dd3f2bc7-8d6d-4bab-9a5e-d3211115e4f4} +- TODO in 2020-11-29 + +--- + +# Bugs + +# Improvements + +# Services + +- `git.$tld`: cgit +- `$project.$tld`: static documentation for projects +- `ci.$tld`: single static HTML CI page +- `mail.$tld`: email +- `xmpp.$tld`: Prosody XMPP +- `matrix.$tld`: Synapse Matrix +- `static.$tld`: NGINX directory listing of static files +- `$tld`: Jekyll blog + +# Decisions + +## <span class="DONE"></span> On public SSH key leakage {#decision-d38019ac-a2ad-484d-91e5-f4bdb1fa00ca} +- DONE in 2020-09-06 + +--- + +As described in "[Public SSH keys can leak your private +infrastructure](https://rushter.com/blog/public-ssh-keys/)", public SSH +keys can expose undesired infrastructure, specially for targeted +attacks. + +I'm not considering this a threat, since the link between the server +and e is already public. It may be much more effective to just change +the SSH port away from the default: it doesn't accomplish the same +thing, but it prevents simple detections. It is still possible to find +this out via a script, but is orders of magnitute harder for the +attacker. + +## <span class="DONE"></span> Matrix over XMPP {#decision-de89fc4e-5c36-4f6b-9227-221b70e9f321} +- DONE in 2020-11-29 + +--- + +I'm picking Matrix. Not because of the protocol or anything else, but +because it has the two relevant double-puppeting bridges: +mautrix-telegram and mautrix-whatsapp. + +TBH I like XMPP much more, but without working puppeting bridges, I +would stay isolated with it, which would defeat the purpose of having a +chat server on the first place. + +Maybe an XMPP double-puppeting bridge could allow me to use an XMPP +client to talk with Telegram and WhatsApp chats. + +# Resources + +- <https://framagit.org/tyreunom/system-configuration/> +- <https://framagit.org/Jeko/guix-machine-os-ynm/> + +# Scratch diff --git a/TODOs.rst b/TODOs.rst deleted file mode 100644 index c60c5b3..0000000 --- a/TODOs.rst +++ /dev/null @@ -1,297 +0,0 @@ -Tasks -===== - -.. _268afd29-d602-4f9c-9de8-348cc0b671fb: - -TODO Add proper "commit" role to TODOs.rst ------------------------------------------- -- TODO in 2021-01-16 - ----- - -So that it links to CGit directly. - -.. _df87e340-4c35-469a-9bc1-fc57429a0b8e: - -TODO Change base image away from default SSH port -------------------------------------------------- -- TODO in 2021-01-16 - ----- - -.. _723d9fcd-fdec-4f57-b774-2ed20599a714: - -TODO Error when running ``/var/lib/certbot/renew-certificates`` on ``guix deploy`` ----------------------------------------------------------------------------------- -- TODO in 2021-01-16 - ----- - -.. _da20aa03-3c74-4382-ba24-a9ea48334e00: - -TODO Proper NGINX configuration -------------------------------- -- TODO in 2021-01-16 - ----- - -- HTTP2 -- gzip -- cache everything, detect content changes? - -.. _8fa7a0c2-4a27-4c56-9817-a47982995ade: - -TODO Cronjob: Duplicate tarballs in Git notes to static directory listing -------------------------------------------------------------------------- -- TODO in 2021-01-16 - ----- - -This way it is easier to browse what tarballs are available. - -.. _56ccba06-fa8e-47b2-b014-44b4417ee072: - -TODO Is an "activation-service-type" what I want? -------------------------------------------------- -- TODO in 2021-01-16 - ----- - -I have the impression that these are the sources of errors when rebooting the VPS. - -.. _47992e04-038a-4528-9856-a25f60ebbb19: - -TODO Provenance warning ------------------------ -- TODO in 2021-01-16 - ----- - -Fix provenance warning when running ``guix deploy``. - -.. _bc537812-5f9d-4760-8c95-9ae933ecbd57: - -TODO Try running on the Raspberry Pi ------------------------------------- -- TODO in 2020-01-12 - ----- - - -.. _ac19877b-55e3-48c8-8c3a-071124d23cd2: - -TODO Use custom README converter --------------------------------- -- TODO in 2021-01-12 - ----- - -Convert ``README`` file using markdown instead of plain text. - - -.. _92d8ad8d-df93-49c1-8393-eb7147326c29: - -DONE Add index.html on built website ------------------------------------- -- DONE in 2020-12-02 - - Generate index.html from README.md. Done in - :commit:`6d95acf144a4f2e48cb603af3a8032c172ceb53e` . - -- TODO in 2020-12-02 - ----- - -.. _dee378cd-9e41-402b-9018-e9ebb05ef75d: - -TODO Test Guix deploy ---------------------- -- TODO in 2020-12-02 - ----- - - -.. _d76d4d2c-f07e-420b-8f30-28eb258494a6: - -TODO External volume --------------------- -- TODO in 2020-11-30 - ----- - -.. code:: hcl - - variable "storage_name" { - type = string - description = "Name of the block storage volume, which will also be the name of it's mount point." - } - - resource "vultr_block_storage" "vps_storage" { - size_gb = 10 - region_id = 9 - attached_id = vultr_server.vps_server.id - label = var.storage_name - live = "yes" - } - -.. _708bcd4f-4574-4227-8737-fcb10621f1ec: - -TODO Backups ------------- -- TODO in 2020-11-30 - ----- - -If possible, put every data subfolder under the same folder, and just -backup the top-level folder. This also allows me to put it on an -external volum and grow it more easily. - -No real need to backup cgit, Jekyll, documetation and Cuirass, but -useful to have if available. - -The certificates should be backed up, so that restoring doesn't involve -re-creating everything from scratch. - -- [ ] Email -- [ ] XMPP -- [ ] Matrix -- [ ] Certificates - -.. _5f0457af-49dc-4122-83ff-a0604e3c6a02: - -TODO Monitoring ---------------- -- TODO in 2020-11-30 - ----- - -- https://mmonit.com/monit/ - -- https://collectd.org/ - -Reports via email. - - -.. _ee160451-cfe8-49b2-a71f-6f1dca02cb9d: - -TODO Intrusion prevention and detection ---------------------------------------- -- TODO in 2020-11-30 - ----- - -- http://www.fail2ban.org/wiki/index.php/Main_Page -- http://rkhunter.sourceforge.net/ - -.. _f8a54acf-a417-4957-ac13-21df9a57ed4c: - -TODO Security review --------------------- -- TODO in 2020-11-30 - ----- - -https://cheatsheetseries.owasp.org/Glossary.html - - -.. _7d57aa50-597e-4a86-b9d7-c2d84f53e1c6: - -TODO Build new Guix image and document the steps ------------------------------------------------- -- TODO in 2020-11-29 - ----- - -Instead of syncing the ``.bashrc`` file, I should put my aliases in the -base image. - -Setup custom SSH port in the base image itself. - - -.. _43a7a634-84ec-41de-b243-c27fd4a44c25: - -TODO Setup cgit ---------------- -- TODO in 2020-11-30 - ----- - -- setup ``README`` file rendering -- force redirect HTTPS -- permanent redirect www and everything else to non-www - - -.. _dd3f2bc7-8d6d-4bab-9a5e-d3211115e4f4: - -TODO Add email mcron job report -------------------------------- -- TODO in 2020-11-29 - -Bugs -==== - -Improvements -============ - -Services -======== - -- ``git.$tld``: cgit -- ``$project.$tld``: static documentation for projects -- ``ci.$tld``: single static HTML CI page -- ``mail.$tld``: email -- ``xmpp.$tld``: Prosody XMPP -- ``matrix.$tld``: Synapse Matrix -- ``static.$tld``: NGINX directory listing of static files -- ``$tld``: Jekyll blog - -Decisions -========= - -.. _d38019ac-a2ad-484d-91e5-f4bdb1fa00ca: - -DONE On public SSH key leakage ------------------------------- -- DONE in 2020-09-06 - ----- - -As described in "`Public SSH keys can leak your private -infrastructure <https://rushter.com/blog/public-ssh-keys/>`__", public -SSH keys can expose undesired infrastructure, specially for targeted -attacks. - -I'm not considering this a threat, since the link between the server and -e is already public. It may be much more effective to just change the -SSH port away from the default: it doesn't accomplish the same thing, -but it prevents simple detections. It is still possible to find this out -via a script, but is orders of magnitute harder for the attacker. - - -.. _de89fc4e-5c36-4f6b-9227-221b70e9f321: - -DONE Matrix over XMPP ---------------------- -- DONE in 2020-11-29 - ----- - -I'm picking Matrix. Not because of the protocol or anything else, but -because it has the two relevant double-puppeting bridges: -mautrix-telegram and mautrix-whatsapp. - -TBH I like XMPP much more, but without working puppeting bridges, I -would stay isolated with it, which would defeat the purpose of having a -chat server on the first place. - -Maybe an XMPP double-puppeting bridge could allow me to use an XMPP -client to talk with Telegram and WhatsApp chats. - -Resources -========= - -- https://framagit.org/tyreunom/system-configuration/ -- https://framagit.org/Jeko/guix-machine-os-ynm/ - -Scratch -======= diff --git a/build-aux/assert-todos.sh b/build-aux/assert-todos.sh index ebed4e8..ce6c95b 100755 --- a/build-aux/assert-todos.sh +++ b/build-aux/assert-todos.sh @@ -1,22 +1,22 @@ #!/bin/sh -eu -if git grep FIXME | grep -v '^TODOs.rst' | grep -v '^build-aux/assert-todos.sh' | grep -v '^build-aux/docbook-xsl/'; then +if git grep FIXME | grep -v '^TODOs.md' | grep -v '^build-aux/assert-todos.sh' | grep -v '^build-aux/docbook-xsl/'; then echo "Found dangling FIXME markers on the project." - echo "You should write them down properly on TODOs.rst." + echo "You should write them down properly on TODOs.md." exit 1 fi KNOWN_IDS='' has_error=0 # shellcheck disable=2013 -for todo in $(sed -e '/^\* Tasks$/,/^\* Improvements$/!d' TODOs.rst | grep -nE '^\*\* .*$' | cut -d: -f1); do - if sed "${todo}q;d" TODOs.rst | grep -qE '^\*\* (CANCELLED|DONE)'; then +for todo in $(sed -e '/^\* Tasks$/,/^\* Improvements$/!d' TODOs.md | grep -nE '^\*\* .*$' | cut -d: -f1); do + if sed "${todo}q;d" TODOs.md | grep -qE '^\*\* (CANCELLED|DONE)'; then ID_OFFSET=3 else ID_OFFSET=2 fi line_n="$((todo+ID_OFFSET))" - ID_LINE="$(sed "${line_n}q;d" TODOs.rst)" + ID_LINE="$(sed "${line_n}q;d" TODOs.md)" if echo "$ID_LINE" | grep -q '^:CUSTOM_ID: .*$'; then ID="$(echo "$ID_LINE" | awk '{print $2}')" if echo "$KNOWN_IDS" | grep -q "$ID"; then diff --git a/build-aux/workflow/TODOs.sh b/build-aux/workflow/TODOs.sh index f080001..b8a3f29 100755 --- a/build-aux/workflow/TODOs.sh +++ b/build-aux/workflow/TODOs.sh @@ -6,12 +6,13 @@ export PROJECT_UC="$1" export PROJECT="$2" export MAILING_LIST="$3" -envsubst < build-aux/workflow/preamble.rst | \ - cat - TODOs.rst | \ - pandoc --toc \ - --highlight-style pygments \ - --toc-depth=2 \ - -s \ - --metadata title="$1 - TODOs" \ - --metadata lang=en \ - -r rst -w html > public/TODOs.html +envsubst < build-aux/workflow/preamble.md | \ + cat - TODOs.md | \ + pandoc --toc \ + --highlight-style pygments \ + --toc-depth=2 \ + -s \ + --metadata title="$1 - TODOs" \ + --metadata lang=en \ + -H build-aux/workflow/style.css \ + -r markdown -w html > public/TODOs.html diff --git a/build-aux/workflow/preamble.md b/build-aux/workflow/preamble.md new file mode 100644 index 0000000..ac75d9d --- /dev/null +++ b/build-aux/workflow/preamble.md @@ -0,0 +1,15 @@ +# About + +TODOs for $PROJECT_UC. + +See also [$PROJECT.euandreh.xyz](https://$PROJECT.euandreh.xyz/). + +Register a new one: +[~euandreh/$MAILING_LIST@lists.sr.ht](mailto:~euandreh/$MAILING_LIST@lists.sr.ht?subject=BUG%20or%20TASK%3A%20%3Cdescription%3E). + +*Você também pode escrever em português*. + +*Vous pouvez aussi écrire en français*. + +*Vi povas ankaŭ skribi esperante*. + diff --git a/build-aux/workflow/preamble.rst b/build-aux/workflow/preamble.rst deleted file mode 100644 index caa50e6..0000000 --- a/build-aux/workflow/preamble.rst +++ /dev/null @@ -1,20 +0,0 @@ -About -===== - -TODOs for $PROJECT_UC. - -See also `$PROJECT.euandreh.xyz`_. - -Register a new one: `~euandreh/$MAILING_LIST@lists.sr.ht`_. - -*Você também pode escrever em português.* - -*Vous pouvez aussi écrire en français.* - -*Vi povas ankaŭ skribi esperante.* - -.. _`$PROJECT.euandreh.xyz`: https://$PROJECT.euandreh.xyz/ -.. _`~euandreh/$MAILING_LIST@lists.sr.ht`: mailto:~euandreh/$MAILING_LIST@lists.sr.ht?subject=BUG%20or%20TASK%3A%20%3Cdescription%3E - -.. role:: commit - diff --git a/build-aux/workflow/style.css b/build-aux/workflow/style.css new file mode 100644 index 0000000..b68ff70 --- /dev/null +++ b/build-aux/workflow/style.css @@ -0,0 +1,50 @@ +<style> + hr { + background-color: #ccc; + } + + /* + Replicate colors from: + https://git.euandreh.xyz/dotfiles/tree/spacemacs.el?id=fcd9f9c4ef399d45d54927382dc1cdde251ebb0a#n866 + */ + + .TODO::after { + content: "TODO"; + color: brown; + } + + .DOING::after { + content: "DOING"; + color: yellowgreen; + } + + .WAITING::after { + content: "WAITING"; + color: gray; + } + + .MEETING::after { + content: "MEETING"; + color: gray; + } + + .INACTIVE::after { + content: "INACTIVE"; + color: orange; + } + + .NEXT::after { + content: "NEXT"; + color: red; + } + + .CANCELLED::after { + content: "CANCELLED"; + color: green; + } + + .DONE::after { + content: "DONE"; + color: green; + } +</style> |