diff options
Diffstat (limited to 'TODOs.md')
| -rw-r--r-- | TODOs.md | 222 |
1 files changed, 222 insertions, 0 deletions
diff --git a/TODOs.md b/TODOs.md new file mode 100644 index 0000000..cb3bdc0 --- /dev/null +++ b/TODOs.md @@ -0,0 +1,222 @@ +# Tasks + +## <span class="TODO"></span> Add proper "commit" role to TODOs.rst {#task-268afd29-d602-4f9c-9de8-348cc0b671fb} +- TODO in 2021-01-16 + +--- + +So that it links to CGit directly. + +## <span class="TODO"></span> Change base image away from default SSH port {#task-df87e340-4c35-469a-9bc1-fc57429a0b8e} +- TODO in 2021-01-16 + +--- + +## <span class="TODO"></span> Error when running `/var/lib/certbot/renew-certificates` on `guix deploy` {#task-723d9fcd-fdec-4f57-b774-2ed20599a714} +- TODO in 2021-01-16 + +--- + +## <span class="TODO"></span> Proper NGINX configuration {#task-da20aa03-3c74-4382-ba24-a9ea48334e00} +- TODO in 2021-01-16 + +--- + +- HTTP2 +- gzip +- cache everything, detect content changes? + +## <span class="TODO"></span> Cronjob: Duplicate tarballs in Git notes to static directory listing {#task-8fa7a0c2-4a27-4c56-9817-a47982995ade} +- TODO in 2021-01-16 + +--- + +This way it is easier to browse what tarballs are available. + +## <span class="TODO"></span> Is an `activation-service-type` what I want? {#task-56ccba06-fa8e-47b2-b014-44b4417ee072} +- TODO in 2021-01-16 + +--- + +I have the impression that these are the sources of errors when +rebooting the VPS. + +## <span class="TODO"></span> Provenance warning {#task-47992e04-038a-4528-9856-a25f60ebbb19} +- TODO in 2021-01-16 + +--- + +Fix provenance warning when running `guix deploy`. + +## <span class="TODO"></span> Try running on the Raspberry Pi {#task-bc537812-5f9d-4760-8c95-9ae933ecbd57} +- TODO in 2020-01-12 + +--- + +## <span class="TODO"></span> Use custom README converter {#task-ac19877b-55e3-48c8-8c3a-071124d23cd2} + +- TODO in 2021-01-12 +--- + +Convert `README` file using markdown instead of plain text. + +## <span class="DONE"></span> Add index.html on built website {#task-92d8ad8d-df93-49c1-8393-eb7147326c29} +- DONE in 2020-12-02 + + Generate index.html from README.md. Done in + `6d95acf144a4f2e48cb603af3a8032c172ceb53e`. + +- TODO in 2020-12-02 + +--- + +## <span class="TODO"></span> Test Guix deploy {#task-dee378cd-9e41-402b-9018-e9ebb05ef75d} +- TODO in 2020-12-02 + +--- + +## <span class="TODO"></span> External volume {#task-d76d4d2c-f07e-420b-8f30-28eb258494a6} +- TODO in 2020-11-30 + +--- + +```terraform +variable "storage_name" { + type = string + description = "Name of the block storage volume, which will also be the name of it's mount point." +} + +resource "vultr_block_storage" "vps_storage" { + size_gb = 10 + region_id = 9 + attached_id = vultr_server.vps_server.id + label = var.storage_name + live = "yes" +} +``` + +## <span class="TODO"></span> Backups {#task-708bcd4f-4574-4227-8737-fcb10621f1ec} +- TODO in 2020-11-30 + +--- + +If possible, put every data subfolder under the same folder, and just +backup the top-level folder. This also allows me to put it on an +external volum and grow it more easily. + +No real need to backup cgit, Jekyll, documetation and Cuirass, but +useful to have if available. + +The certificates should be backed up, so that restoring doesn't involve +re-creating everything from scratch. + +- [ ] Email +- [ ] XMPP +- [ ] Matrix +- [ ] Certificates + +## <span class="TODO"></span> Monitoring {#task-5f0457af-49dc-4122-83ff-a0604e3c6a02} +- TODO in 2020-11-30 + +--- + +- <https://mmonit.com/monit/> +- <https://collectd.org/> + +Reports via email. + +## <span class="TODO"></span> Intrusion prevention and detection {#task-ee160451-cfe8-49b2-a71f-6f1dca02cb9d} +- TODO in 2020-11-30 + +--- + +- <http://www.fail2ban.org/wiki/index.php/Main_Page> +- <http://rkhunter.sourceforge.net/> + +## <span class="TODO"></span> Security review {#task-f8a54acf-a417-4957-ac13-21df9a57ed4c} +- TODO in 2020-11-30 + +--- + +<https://cheatsheetseries.owasp.org/Glossary.html> + +## <span class="TODO"></span> Build new Guix image and document the steps {#task-7d57aa50-597e-4a86-b9d7-c2d84f53e1c6} +- TODO in 2020-11-29 + +--- + +Instead of syncing the `.bashrc` file, I should put my aliases in the +base image. + +Setup custom SSH port in the base image itself. + +## <span class="TODO"></span> Setup cgit {#task-43a7a634-84ec-41de-b243-c27fd4a44c25} +- TODO in 2020-11-30 + +--- + +- setup `README` file rendering +- force redirect HTTPS +- permanent redirect www and everything else to non-www + +## <span class="TODO"></span> Add email mcron job report {#task-dd3f2bc7-8d6d-4bab-9a5e-d3211115e4f4} +- TODO in 2020-11-29 + +--- + +# Bugs + +# Improvements + +# Services + +- `git.$tld`: cgit +- `$project.$tld`: static documentation for projects +- `ci.$tld`: single static HTML CI page +- `mail.$tld`: email +- `xmpp.$tld`: Prosody XMPP +- `matrix.$tld`: Synapse Matrix +- `static.$tld`: NGINX directory listing of static files +- `$tld`: Jekyll blog + +# Decisions + +## <span class="DONE"></span> On public SSH key leakage {#decision-d38019ac-a2ad-484d-91e5-f4bdb1fa00ca} +- DONE in 2020-09-06 + +--- + +As described in "[Public SSH keys can leak your private +infrastructure](https://rushter.com/blog/public-ssh-keys/)", public SSH +keys can expose undesired infrastructure, specially for targeted +attacks. + +I'm not considering this a threat, since the link between the server +and e is already public. It may be much more effective to just change +the SSH port away from the default: it doesn't accomplish the same +thing, but it prevents simple detections. It is still possible to find +this out via a script, but is orders of magnitute harder for the +attacker. + +## <span class="DONE"></span> Matrix over XMPP {#decision-de89fc4e-5c36-4f6b-9227-221b70e9f321} +- DONE in 2020-11-29 + +--- + +I'm picking Matrix. Not because of the protocol or anything else, but +because it has the two relevant double-puppeting bridges: +mautrix-telegram and mautrix-whatsapp. + +TBH I like XMPP much more, but without working puppeting bridges, I +would stay isolated with it, which would defeat the purpose of having a +chat server on the first place. + +Maybe an XMPP double-puppeting bridge could allow me to use an XMPP +client to talk with Telegram and WhatsApp chats. + +# Resources + +- <https://framagit.org/tyreunom/system-configuration/> +- <https://framagit.org/Jeko/guix-machine-os-ynm/> + +# Scratch |