diff options
| -rw-r--r-- | TODOs.md | 452 |
1 files changed, 1 insertions, 451 deletions
@@ -1,145 +1,5 @@ # Tasks -## TODO Add Git custom config to dotfiles {#td-8b422469-ebfc-e1a6-605b-fc39adda4c68} -- TODO in 2022-03-29 - ---- - -``` -git config --global init.defaultBranch main -``` - -## TODO Automate generation and renewal of Let's Encrypt certificates {#td-7853ec30-a832-d05b-f530-2417dc7524d7} -- TODO in 2022-03-29 - -## TODO Fix `$PS1` line editing {#td-417b0c33-a631-c8a1-bc8a-66c104355106} -- TODO in 2022-03-28 - -## TODO Automate implicit dependencies {#td-366e93f7-659f-7f48-4c8e-4d5eb1362df5} -- TODO in 2022-03-28 - ---- - -FIXME -From `src/infrastructure/machines.scm`: - -```scheme -;; -;; Implicit dependencies, to be automated: -;; - /srv and /opt directories: -;; # mkdir -p /srv/http /opt/secrets -;; # chown -R andreh:users /opt /srv -;; # chmod -R 755 /opt /srv -;; - create /opt/secrets/borg-passphrase.txt -;; $ pass generate VPS/$SERVER/borg/passphrase.txt 999 -;; $ pass show VPS/$SERVER/borg/passphrase | ssh $SERVER 'cat - > /opt/secrets/borg-passphrase.tx -t' -;; - create the SSH key -;; $ ssh-keygen -;; - *manually* add that to the authorized_keys on rsync.net: -;; $ scp suyin:.ssh/authorized_keys src/rsync.net/ -;; $ # add 'restrict,command="..."' to the authorized_keys entry -;; $ ssh $SERVER cat .ssh/id_rsa.pub >> authorized_keys -;; $ scp src/rsync.net/authorized_keys suyin:.ssh/ -;; - copy borg key after the first backup: -;; $ ? -;; - generate DKIM key -;; $ guix shell openssl -- openssl genrsa -out /opt/secrets/dkim.arrobaponto.org.key 1024 -;; $ guix shell openssl -- openssl rsa -in /opt/secrets/dkim.arrobaponto.org.key -pubout -out - /opt/secrets/dkim.arrobaponto.org.pub - ;; - manually load /etc/profile-extra, /etc/bashrc-extra and /etc/ps1.sh - ;; to ~/.bashrc and ~root/.bashrc - ;; -``` - -## TODO Remove `info` alias {#td-1f71cdc9-374f-4e2a-bbd0-034bd12e9685} -- TODO in 2022-03-28 - -## TODO Remove `dhcp-client-service-type` and hard code static IP? {#td-d92756f5-97db-e9ff-dd1e-0149a694c565} -- TODO in 2022-03-27 - -## TODO Subscribe to CVE notifications {#td-094bbe96-43ca-ef6a-c78e-5b4290b5f80b} -- TODO in 2022-03-26 - -## TODO Fix mcron failed jobs email reports {#td-9b20afc8-c1f0-ceef-07cb-be18bdd922eb} -- TODO in 2022-03-25 - -## TODO Consider using SSH certificates {#td-dfa8443e-8da0-3dc9-ee73-d527efae203d} -- TODO in 2022-03-24 - ---- - -Reference: -- <https://smallstep.com/blog/use-ssh-certificates/> - -## TODO Subscribe to admin and security mailing lists of deployed software {#td-17c27497-226f-4c3d-5ad5-7cc279606963} -- TODO in 2022-03-21 - ---- - -- Postfix, SpamAssasin, Dovecot; -- Matrix (Conduit), Prosody; -- Git; -- NGINX, fcgiwrap; -- Prometheus, $LOG_TOOL; -- Nextcloud; -- Guix; -- DNS (knot or nsd), certbot; -- borg; -- Litestream. - -## TODO Put "arrobaponto.org" in a variable {#td-fa5c767a-c63d-69dd-1fb4-1425ed7b219e} -- TODO in 2022-03-20 - -## TODO Replace Vultr with Raspberry Pi {#td-39864f91-afa7-5a9d-1d3b-230c75b8b36f} -- TODO in 2022-03-20 - -## TODO Replace `$R` with `suyin` for SSH {#td-0f8c386f-ea4c-900d-35e7-dbead75d9d90} -- TODO in 2022-03-17 - -## TODO Fix warning on missing (machines) module {#td-9fc35972-24b4-376c-d61f-bb0356e25ffb} -- TODO in 2022-03-11 - -## TODO Use Guix Home over ad-hoc etc-service-type setup {#td-3bfc0a15-da13-a98b-e5ae-7d67e02cac97} -- TODO in 2022-03-11 - -## TODO Properly handle `/var/log/*` logfiles {#td-37e4373e-64ee-eab5-99fb-4126939126d7} -- TODO in 2022-03-08 - ---- - -Do proper log rotation (declaratively configured in `machines.scm`), include -them in backups, send information in emails, filter different log levels, -process them with things like [`goaccess`], etc. - -[`goaccess`]: https://goaccess.io/ - -## TODO Disable outgoing rules for `ufw` firewall on toph {#td-c7aa4728-5288-205d-b5c5-5974993ec283} -- TODO in 2022-03-07 - -## TODO Test and debug SSH {#td-10232d88-64be-59c8-c127-e5b374265ab3} -- TODO in 2022-03-07 - ---- - -<https://gist.github.com/koobs/e01cf8869484a095605404cd0051eb11>. - -## TODO Test and debug TLS {#td-529d6f4b-468a-06c2-423e-4aa7447d4eae} -- TODO in 2022-03-07 - ---- - -<https://testssl.sh/>. - -## TODO Test and debug DNS setup {#td-12b5afa7-b9f9-9ecc-d6b6-8826509f56dc} -- TODO in 2022-03-07 - ---- - -Useful resources: -- <https://dns-lookup.jvns.ca/> -- <https://www.learndmarc.com/> - ## TODO Make VPS run on home server? {#td-afbfdf41-1215-4c67-3170-bb75af43aeb7} - TODO in 2022-03-07 @@ -150,232 +10,9 @@ Inspiration taken from: - [This website has 81% battery power remaining](<https://news.ycombinator.com/item?id=29531145>) - [I host this blog from my garage](https://news.ycombinator.com/item?id=29474130) -## TODO Consider `TURN`/`STUN` for torrents, and what its tradeoffs are {#td-051b0b06-49a3-10bb-98b8-267c21abe8af} -- TODO in 2022-03-07 - -## TODO Use `doas` over `sudo`? {#td-f859f776-9fb0-d1b7-e7aa-45e11da9264a} -- TODO in 2022-03-07 - -## TODO Add `security.txt` {#td-4edfaf39-769b-b963-269e-9cc9e4f4f33f} -- TODO in 2022-03-07 - ---- - -Add check to ensure that its `Expires` field is in sync with the refreshed GPG -key, and that this file in `euandre.org` is also in sync with `euandreh.xyz` and -other domains. - -Probably just: -``` -Contact: mailto:eu@euandre.org -Expires: 2022-07-12T03:00:00.000Z -Encryption: https://euandre.org/public-key.txt -Preferred-Languages: en, pt, fr, eo, es -``` - -## TODO Update `README.md` with relevant instructions {#td-86fc7cfd-27e4-0414-5129-899bf80451f3} -- TODO in 2022-03-07 - -## TODO Do 3-2-1 backups {#td-dae28289-0b87-f931-8911-97cd810c9507} -- TODO in 2022-03-06 - -## TODO Make VPS IPv6 only {#task-ef646036-9be7-5669-ac12-3f6be1c71bce} +## TODO Make VPS IPv6 only {#td-ef646036-9be7-5669-ac12-3f6be1c71bce} - TODO in 2021-07-28 -## TODO Send email after gc.sh job {#task-4b3b746c-7042-469d-95fb-dede89343439} -- TODO in 2021-03-07 - -## TODO DNSSEC? {#task-c2da4f1f-f8fb-4584-bd8d-f1e1351c0881} -- TODO in 2021-03-07 - -## TODO Use doas over sudo {#task-ab2dd2e6-332c-472c-9fd1-6a9cfd620a5f} -- TODO in 2021-02-25 - -## TODO Package Terraform for Guix {#task-0a38c085-9d4a-41ef-9f66-dc85d9ad984b} -- TODO in 2021-02-23 - -## TODO Which channel Guix deploy uses? {#task-9852eee9-7b0b-456d-9fcb-cd531ac0c3e1} -- TODO in 2021-02-22 - ---- - -I expect it to be the remote channel, otherwise the `unattended-upgrade` service is much less useful. -Is it the local one? - -## TODO Support tags/labels in TODOs.md {#task-2a86ee6a-09a1-48c4-aff1-c39a00d87d55} -- TODO in 2021-01-16 - ---- - -Pilfer style from orgcss.css. - -## CANCELLED Add commit "macro" to TODOs.md {#task-268afd29-d602-4f9c-9de8-348cc0b671fb} -- CANCELLED in 2021-03-06 - - It is better instead to link manually, no automagic. -- TODO in 2021-01-16 - ---- - -So that it links to CGit directly. - -## TODO Change base image away from default SSH port {#task-df87e340-4c35-469a-9bc1-fc57429a0b8e} -- TODO in 2021-01-16 - -## TODO Error when running `/var/lib/certbot/renew-certificates` on `guix deploy` {#task-723d9fcd-fdec-4f57-b774-2ed20599a714} -- TODO in 2021-01-16 - -## TODO Proper NGINX configuration {#task-da20aa03-3c74-4382-ba24-a9ea48334e00} -- TODO in 2021-01-16 - ---- - -- HTTP2 -- gzip -- cache everything, detect content changes? - -## CANCELLED Cronjob: Duplicate tarballs in Git notes to static directory listing {#task-8fa7a0c2-4a27-4c56-9817-a47982995ade} -- CANCELLED in 2021-03-06 - - Tarballs are no longer stored in Git notes. They are just the Git tags themselves, that CGit/gistatic generates. -- TODO in 2021-01-16 - ---- - -This way it is easier to browse what tarballs are available. - -## TODO Is an `activation-service-type` what I want? {#task-56ccba06-fa8e-47b2-b014-44b4417ee072} -- TODO in 2021-01-16 - ---- - -I have the impression that these are the sources of errors when -rebooting the VPS. - -## TODO Provenance warning {#task-47992e04-038a-4528-9856-a25f60ebbb19} -- TODO in 2021-01-16 - ---- - -Fix provenance warning when running `guix deploy`. - -## TODO Try running on the Raspberry Pi {#task-bc537812-5f9d-4760-8c95-9ae933ecbd57} -- TODO in 2020-01-12 - -## CANCELLED Use custom README converter {#task-ac19877b-55e3-48c8-8c3a-071124d23cd2} -- CANCELLED in 2021-03-06 - - `README.md` is for commonmark, `README` is plain text. -- TODO in 2021-01-12 - ---- - -Convert `README` file using markdown instead of plain text. - -## DONE Add index.html on built website {#task-92d8ad8d-df93-49c1-8393-eb7147326c29} -- DONE in 2020-12-02 - - Generate index.html from README.md. Done in - `6d95acf144a4f2e48cb603af3a8032c172ceb53e`. - -- TODO in 2020-12-02 - -## DONE Test Guix deploy {#task-dee378cd-9e41-402b-9018-e9ebb05ef75d} -- DONE in 2021-03-06 - - It works! -- TODO in 2020-12-02 - -## TODO External volume {#task-d76d4d2c-f07e-420b-8f30-28eb258494a6} -- TODO in 2020-11-30 - ---- - -```terraform -variable "storage_name" { - type = string - description = "Name of the block storage volume, which will also be the name of it's mount point." -} - -resource "vultr_block_storage" "vps_storage" { - size_gb = 10 - region_id = 9 - attached_id = vultr_server.vps_server.id - label = var.storage_name - live = "yes" -} -``` - -## TODO Backups {#task-708bcd4f-4574-4227-8737-fcb10621f1ec} -- TODO in 2020-11-30 - ---- - -If possible, put every data subfolder under the same folder, and just -backup the top-level folder. This also allows me to put it on an -external volum and grow it more easily. - -No real need to backup cgit, Jekyll, documetation and Cuirass, but -useful to have if available. - -The certificates should be backed up, so that restoring doesn't involve -re-creating everything from scratch. - -- [ ] Email -- [ ] XMPP -- [ ] Matrix -- [ ] Certificates - -## TODO Monitoring {#task-5f0457af-49dc-4122-83ff-a0604e3c6a02} -- TODO in 2020-11-30 - ---- - -- <https://mmonit.com/monit/> -- <https://collectd.org/> - -Reports via email. - -## TODO Intrusion prevention and detection {#task-ee160451-cfe8-49b2-a71f-6f1dca02cb9d} -- TODO in 2020-11-30 - ---- - -- <http://www.fail2ban.org/wiki/index.php/Main_Page> -- <http://rkhunter.sourceforge.net/> - -## TODO Security review {#task-f8a54acf-a417-4957-ac13-21df9a57ed4c} -- TODO in 2020-11-30 - ---- - -<https://cheatsheetseries.owasp.org/Glossary.html> - -## TODO Build new Guix image and document the steps {#task-7d57aa50-597e-4a86-b9d7-c2d84f53e1c6} -- TODO in 2020-11-29 - ---- - -Instead of syncing the `.bashrc` file, I should put my aliases in the -base image. - -Setup custom SSH port in the base image itself. - -## CANCELLED Setup cgit {#task-43a7a634-84ec-41de-b243-c27fd4a44c25} -- CANCELLED in 2021-03-06 - - Use gistatic generator, instead. No extra server configuration required, just vanilla NGINX. -- TODO in 2020-11-30 - ---- - -- setup `README` file rendering -- force redirect HTTPS -- permanent redirect www and everything else to non-www - -## TODO Add email mcron job report {#task-dd3f2bc7-8d6d-4bab-9a5e-d3211115e4f4} -- TODO in 2020-11-29 - # Bugs @@ -385,101 +22,14 @@ Setup custom SSH port in the base image itself. # Questions -## TODO How to do video-conferencing? {#question-fe884516-3fde-42ba-b382-2e0068a99a36} -- TODO in 2021-03-06 - ---- - -Installing and maintaining Nextcloud just for this is an overkill. - # Ideas -## TODO TLDs ideas {#td-b6c2760f-4ea7-3f2c-bad7-e1f1e5f633bb} -- TODO in 2022-03-28 - ---- - -From `src/infrastructure/machines.scm`: -```scheme -;; toph -> euandre.org -;; kuvira -> euandreh.xyz -;; ??? -> arrobaponto.org -;; asami -> discussions.site -;; zhu-li -> mediator.ht -;; lily -> hinarioespirita.org ; musician -;; kyoshi -> standardify.sh ; standardtized warriors -;; suyin -> rsync.net ; city with a metal shell -;; ??? -> amber.ht -;; yangchen -> multipatch.xyz -;; mai -> mailbug.xyz -``` - - -# Services - -- `ssh://$tld`: OpenSSH -- `https://$tld`: NGINX - static HTTP + CGI + webapps -- `xmpp://$tld`: Prosody XMPP -- `https://matrix.$tld`: Synapse Matrix -- `smtps://$tld`: OpenSMTPD + SpamAssasin + OpenDKIM + ClamAV -- `imaps://$tld`: Dovecot -- `https://mail.$tld`: webmail -- `https://voice.$tld`: Murmur -- `https://cloud.$tld`: Nextcloud -- `https://irc.$tld`: IRC server -- `https://metrics.$tld`: Prometheus -- `https://logs.$tld`: $LOG_TOOL - # Decisions -## DONE On public SSH key leakage {#decision-d38019ac-a2ad-484d-91e5-f4bdb1fa00ca} -- DONE in 2020-09-06 - ---- - -As described in "[Public SSH keys can leak your private -infrastructure](https://rushter.com/blog/public-ssh-keys/)", public SSH -keys can expose undesired infrastructure, specially for targeted -attacks. - -I'm not considering this a threat, since the link between the server -and e is already public. It may be much more effective to just change -the SSH port away from the default: it doesn't accomplish the same -thing, but it prevents simple detections. It is still possible to find -this out via a script, but is orders of magnitute harder for the -attacker. - -## DONE Matrix over XMPP {#decision-de89fc4e-5c36-4f6b-9227-221b70e9f321} -- DONE in 2020-11-29 - ---- - -I'm picking Matrix. Not because of the protocol or anything else, but -because it has the two relevant double-puppeting bridges: -mautrix-telegram and mautrix-whatsapp. - -TBH I like XMPP much more, but without working puppeting bridges, I -would stay isolated with it, which would defeat the purpose of having a -chat server on the first place. - -Maybe an XMPP double-puppeting bridge could allow me to use an XMPP -client to talk with Telegram and WhatsApp chats. - # Resources -- <https://framagit.org/tyreunom/system-configuration/> -- <https://framagit.org/Jeko/guix-machine-os-ynm/> -- <https://github.com/spantaleev/matrix-docker-ansible-deploy> -- <https://bryanbrattlof.com/cgit-nginx-gitolite-a-personal-git-server/> -- <https://lars.ingebrigtsen.no/2020/03/25/so-you-want-to-run-your-own-mail-server/> -- <https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/> -- <https://othacehe.org/hosting-a-blog-using-only-scheme.html> -- <https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/hydra/berlin.scm> -- <https://stumbles.id.au/getting-started-with-guix-deploy.html> -- <https://nickcraver.com/blog/2016/02/17/stack-overflow-the-architecture-2016-edition/> - # Scratch |