diff options
Diffstat (limited to 'TODOs.org')
| -rw-r--r-- | TODOs.org | 30 |
1 files changed, 15 insertions, 15 deletions
@@ -1,8 +1,6 @@ -* Tasks - v3 -** DONE Fix Nextcloud 502 error -CLOSED: [2020-08-05 mer. 06:59] +* Tasks - v4 +** TODO How to handle IP changes in mail server? ** TODO Add borg backup to crontab -** TODO Add missing =defaul= nginx vhost file ** TODO Clean-up garbage backups from rsync.net ** TODO Harden the server *** TODO [#C] [[https://www.reddit.com/r/selfhosted/comments/bw8hqq/top_3_measures_to_secure_your_virtual_private/][Top 3 measures to secure your Virtual Private Server? (VPS)]] @@ -15,20 +13,11 @@ The =file= package is imported in =shell.nix= but =~/.buildenv= is sourced befor ** TODO Use =--pure= for =nix-shell= scripts ** TODO Add volume to fstab Can I use Terraform form this? -** TODO Use Guix instead of Ansible -Or NixOps if not possible or feasible with Guix. * Services - v2 -** DONE =cloud.$tld=: Nextcloud: storage, calendar, contacts, notes and talk -CLOSED: [2020-08-05 mer. 07:00] +** TODO =cloud.$tld=: Nextcloud: storage, calendar, contacts, notes and talk ** TODO =chat.$tld=: Matrix Synapse server, or a XMPP server -https://zingmars.info/2019/12/29/Running-a-personal-Matrix-server-using-docker/ -https://matrix.org/docs/guides/free-small-matrix-server -https://jonnev.se/matrix-homeserver-with-docker/ -** CANCELLED =gpodder.$tld=: gpodder.net sync service -Instead use a desktop application (like gPodder itself) to manage podcasts and export episodes to then phone when needed. - -This solution not only doesn't require internet access, but also it removes the mainteinance of additional software on the server. ** TODO =git.$tld=: git-instaweb (or cgit) server with repositories from ~/dev/libre/ +** TODO =audio.$tld=: FunkWhale ** TODO =mail.$tld=: postfix, dovecot, spamassasin, opendkim, etc No need for roundcube, Nextcloud has a web interface client. ** TODO =$tld=: current Jekyll blog @@ -41,6 +30,7 @@ No need for roundcube, Nextcloud has a web interface client. ** [[https://github.com/nixcloud/nixcloud-webservices][nixcloud-webservices]] ** [[https://github.com/Kickball/awesome-selfhosted#email][Awesome-Selfhosted: Email]] ** [[https://arstechnica.com/information-technology/2014/04/taking-e-mail-back-part-4-the-finale-with-webmail-everything-after/][Taking e-mail back]] +** [[https://jacobneplokh.com/how-to-setup-nextcloud-on-nixos][How to Setup Nextcloud on NixOS]] * Decisions ** Use external git repository as an encrypted database Terraform does have the support for "backends" where it can store =.tfstate= files. @@ -56,6 +46,14 @@ All data stored on git is encrypted with [[https://www.agwa.name/projects/git-cr By taking advantage of the sourcehut ecosystem, it was easier to setup the access of the pipeline to the ad-hoc Terraform backend. I created a repository called [[https://git.sr.ht/~euandreh/vps-state/][=vps-state=]] to store the encrypted =.tfstate= and =.tfplan= files. During the CI run, the pipeline creates new a =.tfplan= file and commits it into =vps-state=, and after applying the plan it updates the =.tfstate= file and adds this change to =vps-state=. +** Move external =vps-state= into =vps= +I want to move the Terraform state into this repository, I don't like the inconsistency that having 2 repos create. + +If I move vps-state into vps, I'll have to remove the terraform steps from the pipeline: it can't commit to itself (as described above). This has an upside too: instead of automatically approving whatever plan Terraform creates, I review the plan before applying. + +It makes the deploying less automatic, but this removes the IP reputation email issue. + +This means that the Terraform provisioning should stay out of the CI and be run only locally. ** Configuration of =StrictHostKeyChecking= We have 3 cases where I'm pushing things to the server and I'm dealing with it differently: *** 1. Pushing updates to the =vps-state= repository @@ -76,6 +74,8 @@ Instead, explicitly call =ansible-playbook= after =terraform apply= finished run This way we test the DNS A record -> Floating IP -> Droplet IP path. We can't do that inside Terraform declaration because the =local-exec= provisioning command runs before the =digitalocean_floating_ip_assignment= is created, and we can't create a cyclic dependency between the two resources. We could use the raw Droplet IP instead of the DNS A record, but I prefer calling it later in order to always test the full DNS resolution. +* Questions +** How to best handle IP changes when the server changes? How does this affect the email sending IP reputation? * Scrath https://federationtester.matrix.org/ EteSync? |