1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
* Tasks
:PROPERTIES:
:CUSTOM_ID: tasks
:END:
** TODO Add index.html on built website
:PROPERTIES:
:CUSTOM_ID: 92d8ad8d-df93-49c1-8393-eb7147326c29
:END:
- State "TODO" from [2020-12-02 mer. 15:41]
** TODO External volume
:PROPERTIES:
:CUSTOM_ID: d76d4d2c-f07e-420b-8f30-28eb258494a6
:END:
- State "TODO" from [2020-11-30 lun. 01:19]
#+BEGIN_SRC hcl
variable "storage_name" {
type = string
description = "Name of the block storage volume, which will also be the name of it's mount point."
}
resource "vultr_block_storage" "vps_storage" {
size_gb = 10
region_id = 9
attached_id = vultr_server.vps_server.id
label = var.storage_name
live = "yes"
}
#+END_SRC
** TODO Backups
:PROPERTIES:
:CUSTOM_ID: 708bcd4f-4574-4227-8737-fcb10621f1ec
:END:
- State "TODO" from [2020-11-30 lun. 01:19]
If possible, put every data subfolder under the same folder, and just backup the
top-level folder. This also allows me to put it on an external volum and grow it
more easily.
No real need to backup cgit, Jekyll, documetation and Cuirass, but useful to
have if available.
The certificates should be backed up, so that restoring doesn't involve
re-creating everything from scratch.
*** TODO Email
- State "TODO" from [2020-11-30 lun. 01:20]
*** TODO Matrix
- State "TODO" from [2020-11-30 lun. 01:19]
*** TODO Certificates
- State "TODO" from [2020-11-30 lun. 01:19]
: /etc/letsencrypt
** TODO Monitoring
:PROPERTIES:
:CUSTOM_ID: 5f0457af-49dc-4122-83ff-a0604e3c6a02
:END:
- State "TODO" from [2020-11-30 lun. 01:20]
- https://mmonit.com/monit/
- https://collectd.org/
Reports via email.
** TODO Intrusion prevention and detection
:PROPERTIES:
:CUSTOM_ID: ee160451-cfe8-49b2-a71f-6f1dca02cb9d
:END:
- State "TODO" from [2020-11-30 lun. 01:20]
- http://www.fail2ban.org/wiki/index.php/Main_Page
- http://rkhunter.sourceforge.net/
** TODO Security review
:PROPERTIES:
:CUSTOM_ID: f8a54acf-a417-4957-ac13-21df9a57ed4c
:END:
- State "TODO" from [2020-11-30 lun. 01:20]
https://cheatsheetseries.owasp.org/Glossary.html
** TODO Build new Guix image and document the steps
:PROPERTIES:
:CUSTOM_ID: 7d57aa50-597e-4a86-b9d7-c2d84f53e1c6
:END:
- State "TODO" from [2020-11-29 dim. 02:10]
Instead of syncing the =.bashrc= file, I should put my aliases in the base image.
** TODO Setup cgit
:PROPERTIES:
:CUSTOM_ID: 43a7a634-84ec-41de-b243-c27fd4a44c25
:END:
- State "TODO" from [2020-11-30 lun. 01:20]
- setup =README= file rendering
- force redirect HTTPS
- permanent redirect www and everything else to non-www
** TODO Add email mcron job report
:PROPERTIES:
:CUSTOM_ID: dd3f2bc7-8d6d-4bab-9a5e-d3211115e4f4
:END:
- State "TODO" from [2020-11-29 dim. 20:21]
* Bugs
:PROPERTIES:
:CUSTOM_ID: bugs
:END:
* Improvements
* Services
** TODO =git.$tld=: cgit
** TODO =$project.$tld=: static documentation for projects
** TODO =ci.$tld=: cuirass
** TODO =mail.$tld=: email
** TODO =chat.$tld=: Matrix/XMPP
** TODO =meet.$tld=: Jitsi/Nextcloud Talk
** TODO =$tld=: Jekyll blog
* Decisions
:PROPERTIES:
:CUSTOM_ID: decisions
:END:
** DONE On public SSH key leakage
:PROPERTIES:
:CUSTOM_ID: d38019ac-a2ad-484d-91e5-f4bdb1fa00ca
:END:
CLOSED: [2020-11-29 dim. 00:27]
- State "DONE" from [2020-09-06 dim. 00:00]
As described in "[[https://rushter.com/blog/public-ssh-keys/][Public SSH keys can leak your private infrastructure]]", public
SSH keys can expose undesired infrastructure, specially for targeted attacks.
I'm not considering this a threat, since the link between the server and me is
already public. It may be much more effective to just change the SSH port away
from the default: it doesn't accomplish the same thing, but it prevents simple
detections. It is still possible to find this out via a script, but is orders of
magnitute harder for the attacker.
** DONE Matrix over XMPP
:PROPERTIES:
:CUSTOM_ID: de89fc4e-5c36-4f6b-9227-221b70e9f321
:END:
CLOSED: [2020-11-29 dim. 00:29]
- State "DONE" from [2020-11-29 dim. 00:29]
I'm picking Matrix. Not because of the protocol or anything else, but because it
has the two relevant double-puppeting bridges: mautrix-telegram and
mautrix-whatsapp.
TBH I like XMPP much more, but without working puppeting bridges, I would stay
isolated with it, which would defeat the purpose of having a chat server on the
first place.
Maybe an XMPP double-puppeting bridge could allow me to use an XMPP client to
talk with Telegram and WhatsApp chats.
* Resources
** https://framagit.org/tyreunom/system-configuration/
* Scrath
|
