# Tasks
## TODO Support tags/labels in TODOs.md {#task-2a86ee6a-09a1-48c4-aff1-c39a00d87d55}
- TODO in 2021-01-16
---
Pilfer style from orgcss.css.
## TODO Add commit "macro" to TODOs.md {#task-268afd29-d602-4f9c-9de8-348cc0b671fb}
- TODO in 2021-01-16
---
So that it links to CGit directly.
## TODO Change base image away from default SSH port {#task-df87e340-4c35-469a-9bc1-fc57429a0b8e}
- TODO in 2021-01-16
---
## TODO Error when running `/var/lib/certbot/renew-certificates` on `guix deploy` {#task-723d9fcd-fdec-4f57-b774-2ed20599a714}
- TODO in 2021-01-16
---
## TODO Proper NGINX configuration {#task-da20aa03-3c74-4382-ba24-a9ea48334e00}
- TODO in 2021-01-16
---
- HTTP2
- gzip
- cache everything, detect content changes?
## TODO Cronjob: Duplicate tarballs in Git notes to static directory listing {#task-8fa7a0c2-4a27-4c56-9817-a47982995ade}
- TODO in 2021-01-16
---
This way it is easier to browse what tarballs are available.
## TODO Is an `activation-service-type` what I want? {#task-56ccba06-fa8e-47b2-b014-44b4417ee072}
- TODO in 2021-01-16
---
I have the impression that these are the sources of errors when
rebooting the VPS.
## TODO Provenance warning {#task-47992e04-038a-4528-9856-a25f60ebbb19}
- TODO in 2021-01-16
---
Fix provenance warning when running `guix deploy`.
## TODO Try running on the Raspberry Pi {#task-bc537812-5f9d-4760-8c95-9ae933ecbd57}
- TODO in 2020-01-12
---
## TODO Use custom README converter {#task-ac19877b-55e3-48c8-8c3a-071124d23cd2}
- TODO in 2021-01-12
---
Convert `README` file using markdown instead of plain text.
## DONE Add index.html on built website {#task-92d8ad8d-df93-49c1-8393-eb7147326c29}
- DONE in 2020-12-02
Generate index.html from README.md. Done in
`6d95acf144a4f2e48cb603af3a8032c172ceb53e`.
- TODO in 2020-12-02
---
## TODO Test Guix deploy {#task-dee378cd-9e41-402b-9018-e9ebb05ef75d}
- TODO in 2020-12-02
---
## TODO External volume {#task-d76d4d2c-f07e-420b-8f30-28eb258494a6}
- TODO in 2020-11-30
---
```terraform
variable "storage_name" {
type = string
description = "Name of the block storage volume, which will also be the name of it's mount point."
}
resource "vultr_block_storage" "vps_storage" {
size_gb = 10
region_id = 9
attached_id = vultr_server.vps_server.id
label = var.storage_name
live = "yes"
}
```
## TODO Backups {#task-708bcd4f-4574-4227-8737-fcb10621f1ec}
- TODO in 2020-11-30
---
If possible, put every data subfolder under the same folder, and just
backup the top-level folder. This also allows me to put it on an
external volum and grow it more easily.
No real need to backup cgit, Jekyll, documetation and Cuirass, but
useful to have if available.
The certificates should be backed up, so that restoring doesn't involve
re-creating everything from scratch.
- [ ] Email
- [ ] XMPP
- [ ] Matrix
- [ ] Certificates
## TODO Monitoring {#task-5f0457af-49dc-4122-83ff-a0604e3c6a02}
- TODO in 2020-11-30
---
-
-
Reports via email.
## TODO Intrusion prevention and detection {#task-ee160451-cfe8-49b2-a71f-6f1dca02cb9d}
- TODO in 2020-11-30
---
-
-
## TODO Security review {#task-f8a54acf-a417-4957-ac13-21df9a57ed4c}
- TODO in 2020-11-30
---
## TODO Build new Guix image and document the steps {#task-7d57aa50-597e-4a86-b9d7-c2d84f53e1c6}
- TODO in 2020-11-29
---
Instead of syncing the `.bashrc` file, I should put my aliases in the
base image.
Setup custom SSH port in the base image itself.
## TODO Setup cgit {#task-43a7a634-84ec-41de-b243-c27fd4a44c25}
- TODO in 2020-11-30
---
- setup `README` file rendering
- force redirect HTTPS
- permanent redirect www and everything else to non-www
## TODO Add email mcron job report {#task-dd3f2bc7-8d6d-4bab-9a5e-d3211115e4f4}
- TODO in 2020-11-29
---
# Bugs
# Improvements
# Services
- `git.$tld`: cgit
- `$project.$tld`: static documentation for projects
- `ci.$tld`: single static HTML CI page
- `mail.$tld`: email
- `xmpp.$tld`: Prosody XMPP
- `matrix.$tld`: Synapse Matrix
- `static.$tld`: NGINX directory listing of static files
- `$tld`: Jekyll blog
# Decisions
## DONE On public SSH key leakage {#decision-d38019ac-a2ad-484d-91e5-f4bdb1fa00ca}
- DONE in 2020-09-06
---
As described in "[Public SSH keys can leak your private
infrastructure](https://rushter.com/blog/public-ssh-keys/)", public SSH
keys can expose undesired infrastructure, specially for targeted
attacks.
I'm not considering this a threat, since the link between the server
and e is already public. It may be much more effective to just change
the SSH port away from the default: it doesn't accomplish the same
thing, but it prevents simple detections. It is still possible to find
this out via a script, but is orders of magnitute harder for the
attacker.
## DONE Matrix over XMPP {#decision-de89fc4e-5c36-4f6b-9227-221b70e9f321}
- DONE in 2020-11-29
---
I'm picking Matrix. Not because of the protocol or anything else, but
because it has the two relevant double-puppeting bridges:
mautrix-telegram and mautrix-whatsapp.
TBH I like XMPP much more, but without working puppeting bridges, I
would stay isolated with it, which would defeat the purpose of having a
chat server on the first place.
Maybe an XMPP double-puppeting bridge could allow me to use an XMPP
client to talk with Telegram and WhatsApp chats.
# Resources
-
-
# Scratch