aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEuAndreh <eu@euandre.org>2020-08-10 12:46:20 -0300
committerEuAndreh <eu@euandre.org>2020-08-10 12:46:20 -0300
commit194628ec03da6065b186f16a237d264be6284b21 (patch)
treeba59d46f791c29d1ee927107769a10113f655f98
parentMigration: Remove Ansible and Docker code, move only to NixOS (diff)
downloadtoph-194628ec03da6065b186f16a237d264be6284b21.tar.gz
toph-194628ec03da6065b186f16a237d264be6284b21.tar.xz
Remove old archive.org
-rw-r--r--archive.org414
1 files changed, 0 insertions, 414 deletions
diff --git a/archive.org b/archive.org
deleted file mode 100644
index 368bb9f..0000000
--- a/archive.org
+++ /dev/null
@@ -1,414 +0,0 @@
-* Questions
-** CANCELLED Critiques of Docker?
-What does NixOps, DisNix and Dysnomia are trying to accomplish that overlap with Docker? Use sqldiff for NixOps?
-
-Do they do a better job? Why? Why not?
-
-Get a book on advanced Docker, or container fundamentals and dig deeper.
-** CANCELLED Should I have an extra backup location?
-Maybe rsync the contents of the Borg repository into S3. Should I restore backups from these too?
-** CANCELLED Should I be using something like [[https://www.vaultproject.io/][Vault]] instead of git-crypt?
-Can it do key rotation?
-** CANCELLED Can the =setup.sh= and =provision.sh= scripts be run inside a chroot or a NixOS contained environment?
-Right now they can't simply be a derivation because =setup.sh= needs access to the disk and =provision.sh= needs to access the internet.
-** CANCELLED Is there a way to commit the /signed/ public key?
-This way it would remove the need of using the =--always-trust= option of =gpg=.
-** DONE How to dynamically handle Floating IPs?
-CLOSED: [2019-06-10 Mon 08:59]
-Right now the current Floating IP defined in =.envrc= was created manually in DigitalOcean's web UI and copied from it to the environment variable.
-
-If everything was teared down, I couldn't recreate everything from source, because the Floating IP would be different.
-
-The ultimate goal would be to upsert a Floating IP address? If no Floating IP address exists, create one. If one already exists (I don't how to get a reference to it), use it.
-
-In other words, I don't want any hardcoded IPs in the recipe. The IP address has to be fixed, and the same on the DNS registrar and DigitalOcean's Floating IP.
-*** Solution
-I provisioned both the Floating IP and the DNS A record in the same recipe. Now everything is recreated from scratch every time.
-** DONE Do I want or need Docker? Should I use it?
-CLOSED: [2019-05-25 Sat 18:1980]
-It was a better path than sticking with NixOps and nixcloud-webservices. It's more widespread and has more things done for it.
-** CANCELLED How to share the Nix store across services?
-** DONE How to leverage DigitalOcean's block storage?
-CLOSED: [2019-05-25 Sat 18:19]
-Provision it using Terraform, and use it's path as the =$VOLUME_HOME= variable for containers.
-
-This was I can compartimentalize the data storage to easily backup and duplicate, but also destroy a running droplet and create a new one.
-* Nice to have
-** CANCELLED =ETag= on static files
-** CANCELLED Nix Terraform provisioning
-Revive NixOps.
-
-See also:
-- https://github.com/tweag/terraform-provider-nixos
-- https://github.com/tweag/terraform-nixos
-** DONE Upgrate Terraform to 0.12.1 to use =for_each= loops on resources
-CLOSED: [2020-08-02 dim. 20:36]
-Previous title:
-
-: Upgrade =terraform-godaddy= to 0.12 to support looping over CNAME records
-
-When using =terraform-godaddy= this made sense:
-#+BEGIN_SRC hcl
-locals {
- cname_subdomains = [
- "${var.wallabag_tld_prefix}",
- "${var.nextcloud_tld_prefix}",
- ]
-}
-
-resource "godaddy_domain_record" "vps_tld" {
- domain = "${var.tld}"
- addresses = ["${var.floating_ip}"]
-
- dynamic "record" {
- for_each = local.cname_subdomains
-
- content {
- type = "CNAME"
- name = tag
- data = "${var.tld}"
- }
- }
-}
-#+END_SRC
-However, when transitioning to DNS provisioning using DigitalOcean, there's a catch: the =digitalocean_record= resource in Terraform lives on the toplevel, not nested. I tried doing a similar thing, but [[https://www.hashicorp.com/blog/hashicorp-terraform-0-12-preview-for-and-for-each][Terraform 0.12 doesn't support =for_each= loops on =resources=]]:
-
-: During the development of Terraform 0.12 we've also laid the groundwork for supporting for_each directly inside a resource or data block as a more convenient way to create a resource instance for each element in a list or map. Unfortunately we will not be able to fully complete this feature for the Terraform 0.12 initial release, but we plan to include this in a subsequent release to make it easier to dynamically construct multiple resource instances of the same type based on elements of a given map.
-
-The equivalent code should look like:
-#+BEGIN_SRC hcl
-locals {
- cname_subdomains = [
- "${var.wallabag_tld_prefix}",
- "${var.nextcloud_tld_prefix}",
- ]
-}
-
-resource "digitalocean_record" "subdomains" {
- for_each = local.cname_subdomains
-
- domain = "${digitalocean_domain.vps_tld.name}"
- type = "CNAME"
- name = each
- value = "${digitalocean_domain.vps_tld.name}."
-}
-#+END_SRC
-** CANCELLED Full blue/green deployments without downtime
-Only when doing a voluntary restore from backup in a newly created volume.
-
-Is there email software capable of doing this? A distributed email server that doesn't rely so much on the server file system, but on a database instead?
-** CANCELLED Do all this in a Raspberry Pi
-Even the email server can be in it. Is RAM the beiggest limitation for it?
-
-Raspberry Pi vs VPS
-
-Imagine 2 Raspberry Pis, doing immutable blue/green deployments on it, with a large local of a few TBs!
-* Must
-** DONE Fully deployable from code
-CLOSED: [2019-06-10 Mon 08:51]
-Use +NixOps+ Ansible and Terraform to fully automate all of the configuration.
-* Services
-** DONE =$tld=: Static webhosting
-CLOSED: [2019-05-26 Sun 10:17]
-Use IPFS? What about Dat?
-** DONE =wallabag.$tld=: Wallabag
-CLOSED: [2019-05-25 Sat 18:02]
-A bookmark application must:
-- allow me to save and read articles on Android and Firefox;
-- allow me to have tags for links;
-** NEXT =cloud.$tld=: Nextcloud: storage, calendar, contacts, notes
-https://github.com/nextcloud/docker
-
-Do I need to configure =NEXTCLOUD_TRUSTED_DOMAINS= or it should work without it?
-
-Start with =cloud.$tld= before =mail.$tld= so I can retire =arrobaponto.org= and reuse it for other projects.
-
-Activate client-side [[https://docs.nextcloud.com/server/11/user_manual/files/encrypting_files.html][encryption]] of files. Activate two-factor authentication for admin and user accounts.
-
-Nextcloud bookmarks instead of Wallabag? Does it have browser extension and Android app? How about the password manager? Is is client-side encrypted?
-
-Should I consider using an external storage provider, like S3, instead of solely local (DigitalOcean's attached volume)?
-** TODO =mail.$tld=: Email + webmail
-https://github.com/tomav/docker-mailserver
-https://mailu.io/master/demo.html
-https://mailcow.email/
-https://poste.io/
-https://github.com/hardware/mailserver
-
-=mail.$tld= could be the Nextcloud mail application!
-** TODO =www.$tld= and =blog.$tld=: Redirect to =$tld=
-** TODO =hydra.$tld=: Hydra
-Does Hydra support release management? The source tarball can live in git.sr.ht, but what about compiled outputs?
-
-I'd like to release both pre-compiled binaries and Docker images.
-** TODO =cuirass.$tld=: [[https://git.savannah.gnu.org/cgit/guix/guix-cuirass.git][Cuirass]]
-** TODO =annex.$tld=: Public content from Git Annex repositories
-Only an static file server, with folders for individual assets.
-** TODO =pi-hole.$tld=: Pi-hole
-** TODO =pwk.$tld=: Piwik
-** TODO =sentry.$tld=: Sentry
-** TODO =ipfs.$tld=: IPFS pinning service
-** TODO =git.$tld=: CGit or GitWeb
-https://github.com/iconoeugen/docker-gitweb
-** TODO =songbooks.$tld=: Songbooks demo application
-** TODO =pires.$tld=: Pires deployment
-** TODO =paste.$tld=: Static pastebin
-Use Hakyll like in =euandre.org/pastebin/*=, but with root at =paste.$tld/paste-title.html=.
-** TODO =link.$tld=: YOURLS
-No need for short URLs, but maybe useful for tracking link usage?
-
-What are the privacy implications? Related relevant article: http://stage.vambenepe.com/archives/1596
-** TODO =$tld=: Guix build offload
-Install Guix (run it inside a Docker image) to allow it to receive offload build commands.
-** TODO =$comment.$tld=: Comment.io deployment
-** TODO Lightning node
-** CANCELLED =perkeep.$tld=: Perkeep
-I'm already covered by using Git Annex for almost everything.
-** TODO =matrix.$tld=: Matrix Synapse server
-I'm not using IRC a lot right now. Wait for me to interact more with mailing lists and gauge the need of IRC.
-
-It's better than IRC, OTR (XMPP) and everything else, and interoperates with everything. As well said by @matthew, I'm using Matrix mostly as [[https://discourse.mozilla.org/t/matrix-and-irc-mozillians-custom-client/2911/7][a glorified IRC bouncer]]. I do use some Matrix rooms, but mostly for IRC itself.
-
-Also from https://matrix.org/blog/2015/06/22/the-matrix-org-irc-bridge-now-bridges-all-of-freenode:
-
-: Doing this is trivial - you just /join #freenode#channelname:matrix.org from a typical Matrix client - e.g. /join #freenode#Node.js:matrix.org will give you access to all of #Node.js via Matrix, effectively using Matrix as a great big distributed IRC bouncer in the sky ;)
-
-Should continue to consider doing as I continue to use IRC.
-
-Test the Emacs Matrix client along with the server installation.
-
-Use =eu@$tld= for identity server, =chat.$tld= for Riot.
-** CANCELLED =firefox.$tld=: Firefox Sync (and maybe auth server)
-Not really important or relevant:
-- I already manage and backup bookmarks;
-- I backup the browsing history;
-- logins and passwords are kept in KeePassXC;
-
-So losing Firefox Sync data means losing "Open Tabs", "Add-ons" and "Preferences", which I'm OK with.
-
-So instead of hosting my own Firefox Sync, I should keep not relying on it as much as possible.
-** WAITING =search.$tld=: Searx instance
-Would it be actually more private?
-* Tasks - v1
-** DONE Provision DigitalOcean's droplet from Terraform
-CLOSED: [2019-05-25 Sat 13:29]
-** DONE Properly provision Ubuntu droplet
-CLOSED: [2019-05-25 Sat 17:50]
-** DONE Automate deployment of updates
-CLOSED: [2019-05-29 Wed 17:42]
-*** DONE Subtasks
-CLOSED: [2019-05-29 Wed 17:42]
-**** DONE Fix Debian import of GPG keys
-CLOSED: [2019-05-26 Sun 14:34]
-While NixOS image isn't fixed, use Debian instead.
-
-The GPG data was all in a single line. I copied and pasted it properly and it was identified correctly.
-**** CANCELLED Properly install Nix on Debian image
-NixOS patch was applied.
-**** DONE Fix NixOS GPG key importing in builds.sr.ht
-CLOSED: [2019-05-26 Sun 17:37]
-See patch and discussion in [[https://lists.sr.ht/~sircmpwn/sr.ht-dev/%3C20190526162135.1646-1-eu%40euandre.org%3E][sr.ht-dev mailing list]].
-**** DONE Use ssh configuration from environment instead of creating and alias for =ssh=
-CLOSED: [2019-05-26 Sun 19:44]
-***** DONE Relative =IdentityFile= path
-CLOSED: [2019-05-26 Sun 19:42]
-Used =envsubst= to properly interpolate variables in =ssh.conf=
-***** DONE Omit =-F ssh.conf= from command
-CLOSED: [2019-05-26 Sun 19:42]
-Put it in an environment variable?
-
-Done by appending to content of =~/.ssh/config=.
-**** DONE Use DigitalOcean's Floating IP in front of the droplet
-CLOSED: [2019-05-28 Tue 23:22]
-**** DONE Automate deployment with Terraform and deployment scripts
-CLOSED: [2019-05-29 Wed 15:54]
-**** DONE Backup data during deployments
-CLOSED: [2019-05-28 Tue 00:48]
-Is this approach feasible? Will it make the deployment take too much longer? What are the alternatives?
-
-Initial sketch of the backup commands:
-#+BEGIN_SOURCE shell
-rsync --verbose --progress --stats --update --recursive "$HOME/backups/" "$RSYNC_REMOTE"
-borg create -svp -C lzma,6 "~/borgbackup::{hostname}-{now}-${VPS_COMMIT_SHA} ${VOLUME_HOME}"
-rsync --verbose --progress --stats --update --recursive "$RSYNC_REMOTE" "$HOME/borgbackups/"
-#+END_SOURCE
-
-Implemented with help from https://jstaf.github.io/2018/03/12/backups-with-borg-rsync.html
-**** DONE Namecheap whitelist IP limitation
-CLOSED: [2019-05-26 Sun 17:14]
-Namecheap requires you to specifically whitelist an IP that can perform changes to their API.
-
-[[https://lists.sr.ht/~sircmpwn/sr.ht-discuss/%20%3CCAJk2QMbq8uE1pcG3Uy6w37HUY7W15cQ+sHoj-UBWN-W11AtcrA%40mail.gmail.com%3E][builds.sr.ht]] don't guarantee any specific IP, so whitelisting it isn't an option.
-
-The best candidate so far is using DigitalOcean's Floating IP feature to link a hardcoded IP to a droplet, while the droplet's IP may change. This way any new deployment wouldn't change the public IP of the box, and wouldn't require me to change the DNS A and AAAA records on Namecheap.
-
-This has also an advantage of allowing the email server to keep it's IP address.
-
-The downside is that the deployment of DNS registries isn't fully automated: whenever I have to change a DNS entry, either for adding a new CNAME record or changing an AAAA record, I'll have to:
-1- get my own IP;
-2- whitelist it on Namecheap's web interface;
-3- run a separate Terraform recipe.
-
-The upside is that this should happen less often than a deployment, but still not ideal. The ideal would be to run the Terraform recipe every time, and Terraform would realize that there was no DNS related change and do nothing.
-*** Limitations
-During build, decrypt content of files and update the deployment.
-
-How does Terraform tfstate file can be handled in this case?
-
-UPDATE:
-Terraform does support the so called "backends" to coordinate lock and usage of the =.tfstate= files. On this regard there are no restrictions on continously deploying with Terraform from the CI pipelines.
-
-However the current applications do *not* properly support blue/green deployment, like email, Nextcloud, etc.
-
-We could try to share a shared volume, but that would be a consistency nightmare.
-
-The other option is to always recreate everything, with downtime. The advantage is that we get actual immutable deployments with stateful storage, but there would be downtime for every deployment. This is due to the nature of most of the packaged applications being single node *only*.
-
-There's also the IP reputation issue: recreating everything from scratch every time would lead to new droplets with new IP addresses, which is not a good thing to be changing in a server box.
-
-A reasonable alternative would be to redeploy everything on a different node, with a different TLD, and manually check that. But that would be just like an staging environment, with all of it's downsides too.
-
-In this situation, I if go on with automating the deployment I'd rather pick the downtime option.
-
-I'll start with other services other than email and consider alternatives later.
-** DONE Correctly load the SSH keypair using =user_data=
-CLOSED: [2019-06-05 Wed 18:16]
-*** DONE Disable the =user_data=
-CLOSED: [2019-06-05 Wed 17:39]
-*** DONE Generate and manually copy the =user-data.env= file
-CLOSED: [2019-06-05 Wed 17:39]
-*** CANCELLED Run it on the system
-*** DONE Run each step individually and check them
-CLOSED: [2019-06-05 Wed 18:15]
-Check the content of the generated key files.
-*** DONE Try to login
-CLOSED: [2019-06-05 Wed 18:15]
-Problem was on file typo and private key permissions.
-
-Bonus: change SSH port
-** DONE Test key rotation
-CLOSED: [2019-06-05 Wed 19:28]
-See if it is actually working as expected.
-** DONE Use Digital Ocean's Volumes for persistent extended storage
-CLOSED: [2019-06-05 Wed 20:38]
-** DONE Make VPS provisioning more robust
-CLOSED: [2019-06-10 Mon 09:01]
-*** DONE Use Ansible (or an equivalent tool) instead of custom Bash scripts
-CLOSED: [2019-06-05 Wed 16:41]
-They are now more fragile, ad-hoc and imperative than I would like.
-
-Today Terraform won't run the =deploy.sh= if no infrastructure changes are required. Split infrastructure provisioning from server configuration with somethong like Ansible or =nix copy closure= and add extra command in the pipeline run.
-*** DONE Always perform a blue/green infrastructure deployment with Terraform
-CLOSED: [2019-06-10 Mon 09:01]
-Recreate a new Droplet from scratch, even if no changes happened.
-
-This way every deployment tests the code path of creating everything from scratch again, from the DNS public IP all the way to restoring backups.
-*** DONE Destroy and recreate the volume on deployment
-CLOSED: [2019-06-10 Mon 09:01]
-Restore from the latest backup with:
-#+BEGIN_SOURCE shell
-borg list --short --sort-by timestamp | tail -n 1
-#+END_SOURCE
-** DONE Configure DNS from Terraform
-Handling DNS with DigitalOcean did it. Namecheap and GoDaddy API are bad, and all I had to do manually was configure a [[https://www.digitalocean.com/community/tutorials/how-to-point-to-digitalocean-nameservers-from-common-domain-registrars][custom nameserver to point to DigitalOcean's nameserver]].
-CLOSED: [2019-06-09 Sun 22:52]
-*** DONE Test provisioning DNS entries with other DNS registrars
-CLOSED: [2019-06-09 Sun 22:52]
-DNS registrar API are bad in general (from what I've seen). Using DigitalOcean's DNS was more straightforward.
-*** DONE Have dynamic Floating IP (a.k.a. =$PINNED_IP=)
-CLOSED: [2019-06-09 Sun 22:52]
-Floating IP is dynamically attached to the DNS entry in DigitalOcean itself.
-** CANCELLED Create snapshots before destroying resources
-This way the previous good state can be reverted if the deployment fails or the backup can't be restored.
-
-Can a TTL be added to the Droplet and the Volume's snapshots?
-
-Cancelled:
-One can't destroy a Droplet without destroying associated snapshots, even with selected =-target= flags given to =terraform destroy=.
-** DOING Fix Nextcloud 502 error
-** DONE Rotate git crypt key
-CLOSED: [2020-08-02 dim. 20:39]
-Same in =vps-state= repo.
-** DONE Change builds.sr.ht SSH keys
-CLOSED: [2020-08-02 dim. 20:38]
-** DONE Deactivate Wallabag
-CLOSED: [2019-11-16 sam. 15:59]
-** DONE Improve rotation of SSH port
-CLOSED: [2020-08-02 dim. 20:38]
-Remove need for manual intervention
-** TODO Harden the server
-*** TODO [#C] [[https://www.reddit.com/r/selfhosted/comments/bw8hqq/top_3_measures_to_secure_your_virtual_private/][Top 3 measures to secure your Virtual Private Server? (VPS)]]
-*** TODO [#A] [[https://docs.nextcloud.com/server/stable/admin_manual/installation/harden_server.html][Nextcloud: Hardening and security guidance]]
-*** TODO [#A] [[https://ownyourbits.com/2017/03/25/nextcloud-a-security-analysis/][NextCloud, a security analysis]]
-*** TODO [#B] [[https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md][Check for HSTS header configuration]]
-** DONE Settle on TLD
-CLOSED: [2020-08-02 dim. 20:38]
-Change virtual card to avoid charging.
-** CANCELLED Use git-remote-gcrypt instead of git-crypt for vps-state
-Also put all of the content of =secrets/*= into vps-state? Maybe rename it to vps-secret?
-
-Right now, secrets are scattered between the two repositories. By moving I can completely remove =git-crypt= from this repository.
-*** Cancelled:
-The =vps-state= repo isn't supposed to centralize all secrets, it's just a storage backend for Terraform files.
-** DONE Run backup on +Terraform destroy action+ Ansible instead of manually in =provision.sh=
-CLOSED: [2019-06-11 Tue 11:13]
-Terraform's destroy provisioner isn't well suited for this: in case of failure [[https://www.terraform.io/docs/provisioners/#destroy-time-provisioners][it tries to run the provisioner more than once]]. I'd rather have it fail on the first error.
-
-Instead use Ansible to perform this instead of ad-hoc Bash commands.
-** DONE Explicitly destroy Droplets before running Terraform apply
-CLOSED: [2019-06-05 Wed 19:48]
-** DONE Store updated =.tfstate= even in case of deployment failure
-CLOSED: [2019-06-10 Mon 21:21]
-Right now the script fails on Terraform commands before reaching git commands. I should trap the error, store on git and only then fail.
-** DONE Fix alias in =bash-profile.sh=
-CLOSED: [2019-06-10 Mon 09:01]
-** DONE Email verbose (Ansible) log files in case of error
-CLOSED: [2019-06-10 Mon 16:59]
-builds.sr.ht only emails the link. Should it be extended to support encrypted log attachments?
-** CANCELLED Use environment variables for SSH key paths and volume mounts
-Make this change only if I have to change any of it's names.
-
-It's working fine like this right now, and I'll gain nothing from this change.
-** DONE Don't allow backups to fail
-CLOSED: [2019-06-10 Mon 11:21]
-** CANCELLED Don't hardcode =/root/= paths: use =~/= instead to allow for different users
-Make this change only if I have to change any of it's names.
-
-It's working fine like this right now, and I'll gain nothing from this change.
-* Tasks - v2
-** DONE Settle on TLD
-CLOSED: [2020-08-02 dim. 20:32]
-** CANCELLED Use ZFS on droplet
-No point on doing this.
-** DONE Upgrade =docker-compose.yaml= file from version 2 to version 3
-CLOSED: [2020-08-02 dim. 20:32]
-** DONE =euandreh.org= as =$tld=
-CLOSED: [2019-06-16 Sun 17:42]
-** TODO README with setup instructions
-** CANCELLED Use HTTP2? Why? Why not?
-** TODO Fix =file: command not found= in CI
-The =file= package is imported in =shell.nix= but =~/.buildenv= is sourced before.
-** TODO Use =--pure= for =nix-shell= scripts
-** DONE Use Terraform 0.12
-CLOSED: [2020-08-02 dim. 20:38]
-- remove string interpolation in variable usages
-- use rich value types
-* Tasks - v3
-** DONE Fix Nextcloud 502 error
-CLOSED: [2020-08-05 mer. 06:59]
-** TODO Add borg backup to crontab
-** TODO Add missing =defaul= nginx vhost file
-** TODO Clean-up garbage backups from rsync.net
-** TODO Harden the server
-*** TODO [#C] [[https://www.reddit.com/r/selfhosted/comments/bw8hqq/top_3_measures_to_secure_your_virtual_private/][Top 3 measures to secure your Virtual Private Server? (VPS)]]
-*** TODO [#A] [[https://docs.nextcloud.com/server/stable/admin_manual/installation/harden_server.html][Nextcloud: Hardening and security guidance]]
-*** TODO [#A] [[https://ownyourbits.com/2017/03/25/nextcloud-a-security-analysis/][NextCloud, a security analysis]]
-*** TODO [#B] [[https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md][Check for HSTS header configuration]]
-** TODO README with setup instructions
-** TODO Fix =file: command not found= in CI
-The =file= package is imported in =shell.nix= but =~/.buildenv= is sourced before.
-** TODO Use =--pure= for =nix-shell= scripts
-** TODO Add volume to fstab
-Can I use Terraform form this?
-** TODO Use Guix instead of Ansible
-Or NixOps if not possible or feasible with Guix.