1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
* Tasks
:PROPERTIES:
:CUSTOM_ID: tasks
:END:
** TODO External volume
#+BEGIN_SRC hcl
variable "storage_name" {
type = string
description = "Name of the block storage volume, which will also be the name of it's mount point."
}
resource "vultr_block_storage" "vps_storage" {
size_gb = 10
region_id = 9
attached_id = vultr_server.vps_server.id
label = var.storage_name
live = "yes"
}
#+END_SRC
** TODO Backups
If possible, put every data subfolder under the same folder, and just backup the
top-level folder. This also allows me to put it on an external volum and grow it
more easily.
No real need to backup cgit, Jekyll, documetation and Cuirass, but useful to
have if available.
The certificates should be backed up, so that restoring doesn't involve
re-creating everything from scratch.
*** TODO Email
*** TODO Matrix
*** TODO Certificates
: /etc/letsencrypt
** TODO Monitoring
- https://mmonit.com/monit/
- https://collectd.org/
** TODO Intrusion prevention and detection
- http://www.fail2ban.org/wiki/index.php/Main_Page
- http://rkhunter.sourceforge.net/
** TODO Security review
https://cheatsheetseries.owasp.org/Glossary.html
** TODO Build new Guix image and document the steps
- State "TODO" from [2020-11-29 dim. 02:10]
Instead of syncing the =.bashrc= file, I should put my aliases in the base image.
** TODO Setup cgit
- setup =README= file rendering
- force redirect HTTPS
- permanent redirect www and everything else to non-www
* Bugs
:PROPERTIES:
:CUSTOM_ID: bugs
:END:
* Services
** TODO =git.$tld=: cgit
** TODO =$project.$tld=: static documentation for projects
** TODO =ci.$tld=: cuirass
** TODO =mail.$tld=: email
** TODO =chat.$tld=: Matrix/XMPP
** TODO =meet.$tld=: Jitsi/Nextcloud Talk
** TODO =$tld=: Jekyll blog
* Improvements
* Decisions
:PROPERTIES:
:CUSTOM_ID: decisions
:END:
** DONE On public SSH key leakage
:PROPERTIES:
:CUSTOM_ID: d38019ac-a2ad-484d-91e5-f4bdb1fa00ca
:END:
CLOSED: [2020-11-29 dim. 00:27]
- State "DONE" from [2020-09-06 dim. 00:00]
As described in "[[https://rushter.com/blog/public-ssh-keys/][Public SSH keys can leak your private infrastructure]]", public
SSH keys can expose undesired infrastructure, specially for targeted attacks.
I'm not considering this a threat, since the link between the server and me is
already public. It may be much more effective to just change the SSH port away
from the default: it doesn't accomplish the same thing, but it prevents simple
detections. It is still possible to find this out via a script, but is orders of
magnitute harder for the attacker.
** DONE Matrix over XMPP
:PROPERTIES:
:CUSTOM_ID: de89fc4e-5c36-4f6b-9227-221b70e9f321
:END:
CLOSED: [2020-11-29 dim. 00:29]
- State "DONE" from [2020-11-29 dim. 00:29]
I'm picking Matrix. Not because of the protocol or anything else, but because it
has the two relevant double-puppeting bridges: mautrix-telegram and
mautrix-whatsapp.
TBH I like XMPP much more, but without working puppeting bridges, I would stay
isolated with it, which would defeat the purpose of having a chat server on the
first place.
Maybe an XMPP double-puppeting bridge could allow me to use an XMPP client to
talk with Telegram and WhatsApp chats.
* Resources
** https://framagit.org/tyreunom/system-configuration/
* Scrath
|
