Tasks ===== .. _bc537812-5f9d-4760-8c95-9ae933ecbd57: TODO Try running on the Raspberry Pi ------------------------------------ - TODO in 2020-01-12 a b c - DONE in 2020-01-02 xu pliuw nest ~~~~ #. woeifj #. woeifj .. _ac19877b-55e3-48c8-8c3a-071124d23cd2: TODO Use custom README converter -------------------------------- - TODO in 2021-01-12 ---- Convert ``README`` file using markdown instead of plain text. .. _92d8ad8d-df93-49c1-8393-eb7147326c29: DONE Add index.html on built website ------------------------------------ - State "DONE" from [2020-12-02 mer. 15:47] Generate index.html from README.md. Done in :commit:6d95acf144a4f2e48cb603af3a8032c172ceb53e . - State "TODO" from [2020-12-02 mer. 15:41] .. _dee378cd-9e41-402b-9018-e9ebb05ef75d: TODO Test Guix deploy --------------------- - State "TODO" from [2020-12-02 mer. 17:21] .. _d76d4d2c-f07e-420b-8f30-28eb258494a6: TODO External volume -------------------- - State "TODO" from [2020-11-30 lun. 01:19] .. code:: hcl variable "storage_name" { type = string description = "Name of the block storage volume, which will also be the name of it's mount point." } resource "vultr_block_storage" "vps_storage" { size_gb = 10 region_id = 9 attached_id = vultr_server.vps_server.id label = var.storage_name live = "yes" } .. _708bcd4f-4574-4227-8737-fcb10621f1ec: TODO Backups ------------ - State "TODO" from [2020-11-30 lun. 01:19] If possible, put every data subfolder under the same folder, and just backup the top-level folder. This also allows me to put it on an external volum and grow it more easily. No real need to backup cgit, Jekyll, documetation and Cuirass, but useful to have if available. The certificates should be backed up, so that restoring doesn't involve re-creating everything from scratch. .. _email: TODO Email ~~~~~~~~~~ - State "TODO" from [2020-11-30 lun. 01:20] .. _matrix: TODO Matrix ~~~~~~~~~~~ - State "TODO" from [2020-11-30 lun. 01:19] .. _certificates: TODO Certificates ~~~~~~~~~~~~~~~~~ - State "TODO" from [2020-11-30 lun. 01:19] :: /etc/letsencrypt .. _5f0457af-49dc-4122-83ff-a0604e3c6a02: TODO Monitoring --------------- - State "TODO" from [2020-11-30 lun. 01:20] - https://mmonit.com/monit/ - https://collectd.org/ Reports via email. .. _ee160451-cfe8-49b2-a71f-6f1dca02cb9d: TODO Intrusion prevention and detection --------------------------------------- - State "TODO" from [2020-11-30 lun. 01:20] - http://www.fail2ban.org/wiki/index.php/Main_Page - http://rkhunter.sourceforge.net/ .. _f8a54acf-a417-4957-ac13-21df9a57ed4c: TODO Security review -------------------- - State "TODO" from [2020-11-30 lun. 01:20] https://cheatsheetseries.owasp.org/Glossary.html .. _7d57aa50-597e-4a86-b9d7-c2d84f53e1c6: TODO Build new Guix image and document the steps ------------------------------------------------ - State "TODO" from [2020-11-29 dim. 02:10] Instead of syncing the ``.bashrc`` file, I should put my aliases in the base image. Setup custom SSH port in the base image itself. .. _43a7a634-84ec-41de-b243-c27fd4a44c25: TODO Setup cgit --------------- - State "TODO" from [2020-11-30 lun. 01:20] - setup ``README`` file rendering - force redirect HTTPS - permanent redirect www and everything else to non-www .. _dd3f2bc7-8d6d-4bab-9a5e-d3211115e4f4: TODO Add email mcron job report ------------------------------- - State "TODO" from [2020-11-29 dim. 20:21] Bugs ==== Improvements ============ Services ======== .. _git.tld-cgit: TODO ``git.$tld``: cgit ----------------------- .. _project.tld-static-documentation-for-projects: TODO ``$project.$tld``: static documentation for projects --------------------------------------------------------- .. _ci.tld-single-static-html-ci-page: TODO ``ci.$tld``: single static HTML CI page -------------------------------------------- .. _mail.tld-email: TODO ``mail.$tld``: email ------------------------- .. _chat.tld-matrixxmpp: TODO ``chat.$tld``: Matrix/XMPP ------------------------------- https://news.ycombinator.com/item?id=25669864 .. _meet.tld-jitsinextcloud-talk: TODO ``meet.$tld``: Jitsi/Nextcloud Talk ---------------------------------------- .. _tld-jekyll-blog: TODO ``$tld``: Jekyll blog -------------------------- Decisions ========= .. _d38019ac-a2ad-484d-91e5-f4bdb1fa00ca: DONE On public SSH key leakage ------------------------------ CLOSED: [2020-11-29 dim. 00:27] - State "DONE" from [2020-09-06 dim. 00:00] As described in "`Public SSH keys can leak your private infrastructure `__", public SSH keys can expose undesired infrastructure, specially for targeted attacks. I'm not considering this a threat, since the link between the server and e is already public. It may be much more effective to just change the SSH port away from the default: it doesn't accomplish the same thing, but it prevents simple detections. It is still possible to find this out via a script, but is orders of magnitute harder for the attacker. .. _de89fc4e-5c36-4f6b-9227-221b70e9f321: DONE Matrix over XMPP --------------------- CLOSED: [2020-11-29 dim. 00:29] - State "DONE" from [2020-11-29 dim. 00:29] I'm picking Matrix. Not because of the protocol or anything else, but because it has the two relevant double-puppeting bridges: mautrix-telegram and mautrix-whatsapp. TBH I like XMPP much more, but without working puppeting bridges, I would stay isolated with it, which would defeat the purpose of having a chat server on the first place. Maybe an XMPP double-puppeting bridge could allow me to use an XMPP client to talk with Telegram and WhatsApp chats. Resources ========= https://framagit.org/tyreunom/system-configuration/ --------------------------------------------------- https://framagit.org/Jeko/guix-machine-os-ynm/ ---------------------------------------------- Scrath ====== Server requiremets: - Guix for CI - NGINX - CGit, Git, Git Annex - Prosody for XMPP - Synapse for Matrix - OpenSMTPD, Dovecot for email NGINX settings: - HTTP2 - gzip - cache everything # mutt - configure in ~/annex/bin/misc/mail/ # VPS - setup chat servers: XMPP and Matrix cronjob: copy tarballs in git notes to directory to make it easier to browse (directory listing) use guix deploy over ssh sysrem reconfigure