# Tasks
## TODO Add Git custom config to dotfiles {#td-8b422469-ebfc-e1a6-605b-fc39adda4c68}
- TODO in 2022-03-29
---
```
git config --global init.defaultBranch main
```
## TODO Automate generation and renewal of Let's Encrypt certificates {#td-7853ec30-a832-d05b-f530-2417dc7524d7}
- TODO in 2022-03-29
## TODO Fix `$PS1` line editing {#td-417b0c33-a631-c8a1-bc8a-66c104355106}
- TODO in 2022-03-28
## TODO Automate implicit dependencies {#td-366e93f7-659f-7f48-4c8e-4d5eb1362df5}
- TODO in 2022-03-28
---
FIXME
From `src/infrastructure/machines.scm`:
```scheme
;;
;; Implicit dependencies, to be automated:
;; - /srv and /opt directories:
;; # mkdir -p /srv/http /opt/secrets
;; # chown -R andreh:users /opt /srv
;; # chmod -R 755 /opt /srv
;; - create /opt/secrets/borg-passphrase.txt
;; $ pass generate VPS/$SERVER/borg/passphrase.txt 999
;; $ pass show VPS/$SERVER/borg/passphrase | ssh $SERVER 'cat - > /opt/secrets/borg-passphrase.tx
t'
;; - create the SSH key
;; $ ssh-keygen
;; - *manually* add that to the authorized_keys on rsync.net:
;; $ scp suyin:.ssh/authorized_keys src/rsync.net/
;; $ # add 'restrict,command="..."' to the authorized_keys entry
;; $ ssh $SERVER cat .ssh/id_rsa.pub >> authorized_keys
;; $ scp src/rsync.net/authorized_keys suyin:.ssh/
;; - copy borg key after the first backup:
;; $ ?
;; - generate DKIM key
;; $ guix shell openssl -- openssl genrsa -out /opt/secrets/dkim.arrobaponto.org.key 1024
;; $ guix shell openssl -- openssl rsa -in /opt/secrets/dkim.arrobaponto.org.key -pubout -out
/opt/secrets/dkim.arrobaponto.org.pub
;; - manually load /etc/profile-extra, /etc/bashrc-extra and /etc/ps1.sh
;; to ~/.bashrc and ~root/.bashrc
;;
```
## TODO Remove `info` alias {#td-1f71cdc9-374f-4e2a-bbd0-034bd12e9685}
- TODO in 2022-03-28
## TODO Remove `dhcp-client-service-type` and hard code static IP? {#td-d92756f5-97db-e9ff-dd1e-0149a694c565}
- TODO in 2022-03-27
## TODO Subscribe to CVE notifications {#td-094bbe96-43ca-ef6a-c78e-5b4290b5f80b}
- TODO in 2022-03-26
## TODO Fix mcron failed jobs email reports {#td-9b20afc8-c1f0-ceef-07cb-be18bdd922eb}
- TODO in 2022-03-25
## TODO Consider using SSH certificates {#td-dfa8443e-8da0-3dc9-ee73-d527efae203d}
- TODO in 2022-03-24
---
Reference:
-
## TODO Subscribe to admin and security mailing lists of deployed software {#td-17c27497-226f-4c3d-5ad5-7cc279606963}
- TODO in 2022-03-21
---
- Postfix, SpamAssasin, Dovecot;
- Matrix (Conduit), Prosody;
- Git;
- NGINX, fcgiwrap;
- Prometheus, $LOG_TOOL;
- Nextcloud;
- Guix;
- DNS (knot or nsd), certbot;
- borg;
- Litestream.
## TODO Put "arrobaponto.org" in a variable {#td-fa5c767a-c63d-69dd-1fb4-1425ed7b219e}
- TODO in 2022-03-20
## TODO Replace Vultr with Raspberry Pi {#td-39864f91-afa7-5a9d-1d3b-230c75b8b36f}
- TODO in 2022-03-20
## TODO Replace `$R` with `suyin` for SSH {#td-0f8c386f-ea4c-900d-35e7-dbead75d9d90}
- TODO in 2022-03-17
## TODO Fix warning on missing (machines) module {#td-9fc35972-24b4-376c-d61f-bb0356e25ffb}
- TODO in 2022-03-11
## TODO Use Guix Home over ad-hoc etc-service-type setup {#td-3bfc0a15-da13-a98b-e5ae-7d67e02cac97}
- TODO in 2022-03-11
## TODO Properly handle `/var/log/*` logfiles {#td-37e4373e-64ee-eab5-99fb-4126939126d7}
- TODO in 2022-03-08
---
Do proper log rotation (declaratively configured in `machines.scm`), include
them in backups, send information in emails, filter different log levels,
process them with things like [`goaccess`], etc.
[`goaccess`]: https://goaccess.io/
## TODO Disable outgoing rules for `ufw` firewall on toph {#td-c7aa4728-5288-205d-b5c5-5974993ec283}
- TODO in 2022-03-07
## TODO Test and debug SSH {#td-10232d88-64be-59c8-c127-e5b374265ab3}
- TODO in 2022-03-07
---
.
## TODO Test and debug TLS {#td-529d6f4b-468a-06c2-423e-4aa7447d4eae}
- TODO in 2022-03-07
---
.
## TODO Test and debug DNS setup {#td-12b5afa7-b9f9-9ecc-d6b6-8826509f56dc}
- TODO in 2022-03-07
---
Useful resources:
-
-
## TODO Make VPS run on home server? {#td-afbfdf41-1215-4c67-3170-bb75af43aeb7}
- TODO in 2022-03-07
---
Inspiration taken from:
- [We are now Solar Powered]()
- [This website has 81% battery power remaining]()
- [I host this blog from my garage](https://news.ycombinator.com/item?id=29474130)
## TODO Consider `TURN`/`STUN` for torrents, and what its tradeoffs are {#td-051b0b06-49a3-10bb-98b8-267c21abe8af}
- TODO in 2022-03-07
## TODO Use `doas` over `sudo`? {#td-f859f776-9fb0-d1b7-e7aa-45e11da9264a}
- TODO in 2022-03-07
## TODO Add `security.txt` {#td-4edfaf39-769b-b963-269e-9cc9e4f4f33f}
- TODO in 2022-03-07
---
Add check to ensure that its `Expires` field is in sync with the refreshed GPG
key, and that this file in `euandre.org` is also in sync with `euandreh.xyz` and
other domains.
Probably just:
```
Contact: mailto:eu@euandre.org
Expires: 2022-07-12T03:00:00.000Z
Encryption: https://euandre.org/public-key.txt
Preferred-Languages: en, pt, fr, eo, es
```
## TODO Update `README.md` with relevant instructions {#td-86fc7cfd-27e4-0414-5129-899bf80451f3}
- TODO in 2022-03-07
## TODO Do 3-2-1 backups {#td-dae28289-0b87-f931-8911-97cd810c9507}
- TODO in 2022-03-06
## TODO Make VPS IPv6 only {#task-ef646036-9be7-5669-ac12-3f6be1c71bce}
- TODO in 2021-07-28
## TODO Send email after gc.sh job {#task-4b3b746c-7042-469d-95fb-dede89343439}
- TODO in 2021-03-07
## TODO DNSSEC? {#task-c2da4f1f-f8fb-4584-bd8d-f1e1351c0881}
- TODO in 2021-03-07
## TODO Use doas over sudo {#task-ab2dd2e6-332c-472c-9fd1-6a9cfd620a5f}
- TODO in 2021-02-25
## TODO Package Terraform for Guix {#task-0a38c085-9d4a-41ef-9f66-dc85d9ad984b}
- TODO in 2021-02-23
## TODO Which channel Guix deploy uses? {#task-9852eee9-7b0b-456d-9fcb-cd531ac0c3e1}
- TODO in 2021-02-22
---
I expect it to be the remote channel, otherwise the `unattended-upgrade` service is much less useful.
Is it the local one?
## TODO Support tags/labels in TODOs.md {#task-2a86ee6a-09a1-48c4-aff1-c39a00d87d55}
- TODO in 2021-01-16
---
Pilfer style from orgcss.css.
## CANCELLED Add commit "macro" to TODOs.md {#task-268afd29-d602-4f9c-9de8-348cc0b671fb}
- CANCELLED in 2021-03-06
It is better instead to link manually, no automagic.
- TODO in 2021-01-16
---
So that it links to CGit directly.
## TODO Change base image away from default SSH port {#task-df87e340-4c35-469a-9bc1-fc57429a0b8e}
- TODO in 2021-01-16
## TODO Error when running `/var/lib/certbot/renew-certificates` on `guix deploy` {#task-723d9fcd-fdec-4f57-b774-2ed20599a714}
- TODO in 2021-01-16
## TODO Proper NGINX configuration {#task-da20aa03-3c74-4382-ba24-a9ea48334e00}
- TODO in 2021-01-16
---
- HTTP2
- gzip
- cache everything, detect content changes?
## CANCELLED Cronjob: Duplicate tarballs in Git notes to static directory listing {#task-8fa7a0c2-4a27-4c56-9817-a47982995ade}
- CANCELLED in 2021-03-06
Tarballs are no longer stored in Git notes. They are just the Git tags themselves, that CGit/gistatic generates.
- TODO in 2021-01-16
---
This way it is easier to browse what tarballs are available.
## TODO Is an `activation-service-type` what I want? {#task-56ccba06-fa8e-47b2-b014-44b4417ee072}
- TODO in 2021-01-16
---
I have the impression that these are the sources of errors when
rebooting the VPS.
## TODO Provenance warning {#task-47992e04-038a-4528-9856-a25f60ebbb19}
- TODO in 2021-01-16
---
Fix provenance warning when running `guix deploy`.
## TODO Try running on the Raspberry Pi {#task-bc537812-5f9d-4760-8c95-9ae933ecbd57}
- TODO in 2020-01-12
## CANCELLED Use custom README converter {#task-ac19877b-55e3-48c8-8c3a-071124d23cd2}
- CANCELLED in 2021-03-06
`README.md` is for commonmark, `README` is plain text.
- TODO in 2021-01-12
---
Convert `README` file using markdown instead of plain text.
## DONE Add index.html on built website {#task-92d8ad8d-df93-49c1-8393-eb7147326c29}
- DONE in 2020-12-02
Generate index.html from README.md. Done in
`6d95acf144a4f2e48cb603af3a8032c172ceb53e`.
- TODO in 2020-12-02
## DONE Test Guix deploy {#task-dee378cd-9e41-402b-9018-e9ebb05ef75d}
- DONE in 2021-03-06
It works!
- TODO in 2020-12-02
## TODO External volume {#task-d76d4d2c-f07e-420b-8f30-28eb258494a6}
- TODO in 2020-11-30
---
```terraform
variable "storage_name" {
type = string
description = "Name of the block storage volume, which will also be the name of it's mount point."
}
resource "vultr_block_storage" "vps_storage" {
size_gb = 10
region_id = 9
attached_id = vultr_server.vps_server.id
label = var.storage_name
live = "yes"
}
```
## TODO Backups {#task-708bcd4f-4574-4227-8737-fcb10621f1ec}
- TODO in 2020-11-30
---
If possible, put every data subfolder under the same folder, and just
backup the top-level folder. This also allows me to put it on an
external volum and grow it more easily.
No real need to backup cgit, Jekyll, documetation and Cuirass, but
useful to have if available.
The certificates should be backed up, so that restoring doesn't involve
re-creating everything from scratch.
- [ ] Email
- [ ] XMPP
- [ ] Matrix
- [ ] Certificates
## TODO Monitoring {#task-5f0457af-49dc-4122-83ff-a0604e3c6a02}
- TODO in 2020-11-30
---
-
-
Reports via email.
## TODO Intrusion prevention and detection {#task-ee160451-cfe8-49b2-a71f-6f1dca02cb9d}
- TODO in 2020-11-30
---
-
-
## TODO Security review {#task-f8a54acf-a417-4957-ac13-21df9a57ed4c}
- TODO in 2020-11-30
---
## TODO Build new Guix image and document the steps {#task-7d57aa50-597e-4a86-b9d7-c2d84f53e1c6}
- TODO in 2020-11-29
---
Instead of syncing the `.bashrc` file, I should put my aliases in the
base image.
Setup custom SSH port in the base image itself.
## CANCELLED Setup cgit {#task-43a7a634-84ec-41de-b243-c27fd4a44c25}
- CANCELLED in 2021-03-06
Use gistatic generator, instead. No extra server configuration required, just vanilla NGINX.
- TODO in 2020-11-30
---
- setup `README` file rendering
- force redirect HTTPS
- permanent redirect www and everything else to non-www
## TODO Add email mcron job report {#task-dd3f2bc7-8d6d-4bab-9a5e-d3211115e4f4}
- TODO in 2020-11-29
# Bugs
# Improvements
# Questions
## TODO How to do video-conferencing? {#question-fe884516-3fde-42ba-b382-2e0068a99a36}
- TODO in 2021-03-06
---
Installing and maintaining Nextcloud just for this is an overkill.
# Ideas
## TODO TLDs ideas {#td-b6c2760f-4ea7-3f2c-bad7-e1f1e5f633bb}
- TODO in 2022-03-28
---
From `src/infrastructure/machines.scm`:
```scheme
;; toph -> euandre.org
;; kuvira -> euandreh.xyz
;; ??? -> arrobaponto.org
;; asami -> discussions.site
;; zhu-li -> mediator.ht
;; lily -> hinarioespirita.org ; musician
;; kyoshi -> standardify.sh ; standardtized warriors
;; suyin -> rsync.net ; city with a metal shell
;; ??? -> amber.ht
;; yangchen -> multipatch.xyz
;; mai -> mailbug.xyz
```
# Services
- `ssh://$tld`: OpenSSH
- `https://$tld`: NGINX - static HTTP + CGI + webapps
- `xmpp://$tld`: Prosody XMPP
- `https://matrix.$tld`: Synapse Matrix
- `smtps://$tld`: OpenSMTPD + SpamAssasin + OpenDKIM + ClamAV
- `imaps://$tld`: Dovecot
- `https://mail.$tld`: webmail
- `https://voice.$tld`: Murmur
- `https://cloud.$tld`: Nextcloud
- `https://irc.$tld`: IRC server
- `https://metrics.$tld`: Prometheus
- `https://logs.$tld`: $LOG_TOOL
# Decisions
## DONE On public SSH key leakage {#decision-d38019ac-a2ad-484d-91e5-f4bdb1fa00ca}
- DONE in 2020-09-06
---
As described in "[Public SSH keys can leak your private
infrastructure](https://rushter.com/blog/public-ssh-keys/)", public SSH
keys can expose undesired infrastructure, specially for targeted
attacks.
I'm not considering this a threat, since the link between the server
and e is already public. It may be much more effective to just change
the SSH port away from the default: it doesn't accomplish the same
thing, but it prevents simple detections. It is still possible to find
this out via a script, but is orders of magnitute harder for the
attacker.
## DONE Matrix over XMPP {#decision-de89fc4e-5c36-4f6b-9227-221b70e9f321}
- DONE in 2020-11-29
---
I'm picking Matrix. Not because of the protocol or anything else, but
because it has the two relevant double-puppeting bridges:
mautrix-telegram and mautrix-whatsapp.
TBH I like XMPP much more, but without working puppeting bridges, I
would stay isolated with it, which would defeat the purpose of having a
chat server on the first place.
Maybe an XMPP double-puppeting bridge could allow me to use an XMPP
client to talk with Telegram and WhatsApp chats.
# Resources
-
-
-
-
-
-
-
-
-
-
# Scratch