diff options
Diffstat (limited to 'TODOs.org')
| -rw-r--r-- | TODOs.org | 26 |
1 files changed, 23 insertions, 3 deletions
@@ -1,6 +1,15 @@ * Tasks - v4 -** TODO cgit: show README in about section -** TODO Update matterbridge version +** TODO "Migration": use =euandreh_nextcloud_= prefix to database table +** DONE cgit: show README in about section +CLOSED: [2020-09-06 dim. 08:59] +- State "DONE" from [2020-09-06 dim. 08:59] +** CANCELLED Update matterbridge version +CLOSED: [2020-09-06 dim. 08:59] +- State "CANCELLED" from [2020-09-06 dim. 08:59] \\ +I found matterbridge to be too simplistic for what it was proposing to do. The +puppeting bridges from Matrix are a much more robust solution, and I'll try that +instead later. + https://github.com/42wim/matterbridge/issues/1061 ** DONE Add Prosody DNS record to allow me to use eu@euandreh.xyz as an XMPP address CLOSED: [2020-08-23 dim. 18:40] @@ -17,7 +26,9 @@ Or even better: switch to SQLite. *** TODO [#A] [[https://docs.nextcloud.com/server/stable/admin_manual/installation/harden_server.html][Nextcloud: Hardening and security guidance]] *** TODO [#A] [[https://ownyourbits.com/2017/03/25/nextcloud-a-security-analysis/][NextCloud, a security analysis]] *** TODO [#B] [[https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md][Check for HSTS header configuration]] -*** TODO Move secrets outside the Nix store +*** DONE Move secrets outside the Nix store +CLOSED: [2020-09-06 dim. 11:35] +- State "DONE" from [2020-09-06 dim. 11:35] *** TODO Properly configure PostgreSQL *** TODO Separate lighttpd user ownership from =$GIT_ROOT=? ** TODO Add volume @@ -113,6 +124,15 @@ Instead, explicitly call =ansible-playbook= after =terraform apply= finished run This way we test the DNS A record -> Floating IP -> Droplet IP path. We can't do that inside Terraform declaration because the =local-exec= provisioning command runs before the =digitalocean_floating_ip_assignment= is created, and we can't create a cyclic dependency between the two resources. We could use the raw Droplet IP instead of the DNS A record, but I prefer calling it later in order to always test the full DNS resolution. +** On public SSH key leakage +As described in "[[https://rushter.com/blog/public-ssh-keys/][Public SSH keys can leak your private infrastructure]]", public +SSH keys can expose undesired infrastructure, specially for targeted attacks. + +I'm not considering this a threat, since the link between the server and me is +already public. It may be much more effective to just change the SSH port away +from the default: it doesn't accomplish the same thing, but it prevents simple +detections. It is still possible to find this out via a script, but is orders of +magnitute harder for the attacker. * Questions ** How to best handle IP changes when the server changes? How does this affect the email sending IP reputation? ** Enable 2FA for Nextcloud? |