TODOs.org

2 files changed, 34 insertions, 15 deletions

diff --git a/TODOs.org b/TODOs.org
index 1918e8a..678c1d0 100644
--- a/TODOs.org
+++ b/TODOs.org
@@ -1,8 +1,6 @@
-* Tasks - v3
-** DONE Fix Nextcloud 502 error
-CLOSED: [2020-08-05 mer. 06:59]
+* Tasks - v4
+** TODO How to handle IP changes in mail server?
 ** TODO Add borg backup to crontab
-** TODO Add missing =defaul= nginx vhost file
 ** TODO Clean-up garbage backups from rsync.net
 ** TODO Harden the server
 *** TODO [#C] [[https://www.reddit.com/r/selfhosted/comments/bw8hqq/top_3_measures_to_secure_your_virtual_private/][Top 3 measures to secure your Virtual Private Server? (VPS)]]
@@ -15,20 +13,11 @@ The =file= package is imported in =shell.nix= but =~/.buildenv= is sourced befor
 ** TODO Use =--pure= for =nix-shell= scripts
 ** TODO Add volume to fstab
 Can I use Terraform form this?
-** TODO Use Guix instead of Ansible
-Or NixOps if not possible or feasible with Guix.
 * Services - v2
-** DONE =cloud.$tld=: Nextcloud: storage, calendar, contacts, notes and talk
-CLOSED: [2020-08-05 mer. 07:00]
+** TODO =cloud.$tld=: Nextcloud: storage, calendar, contacts, notes and talk
 ** TODO =chat.$tld=: Matrix Synapse server, or a XMPP server
-https://zingmars.info/2019/12/29/Running-a-personal-Matrix-server-using-docker/
-https://matrix.org/docs/guides/free-small-matrix-server
-https://jonnev.se/matrix-homeserver-with-docker/
-** CANCELLED =gpodder.$tld=: gpodder.net sync service
-Instead use a desktop application (like gPodder itself) to manage podcasts and export episodes to then phone when needed.
-
-This solution not only doesn't require internet access, but also it removes the mainteinance of additional software on the server.
 ** TODO =git.$tld=: git-instaweb (or cgit) server with repositories from ~/dev/libre/
+** TODO =audio.$tld=: FunkWhale
 ** TODO =mail.$tld=: postfix, dovecot, spamassasin, opendkim, etc
 No need for roundcube, Nextcloud has a web interface client.
 ** TODO =$tld=: current Jekyll blog
@@ -41,6 +30,7 @@ No need for roundcube, Nextcloud has a web interface client.
 ** [[https://github.com/nixcloud/nixcloud-webservices][nixcloud-webservices]]
 ** [[https://github.com/Kickball/awesome-selfhosted#email][Awesome-Selfhosted: Email]]
 ** [[https://arstechnica.com/information-technology/2014/04/taking-e-mail-back-part-4-the-finale-with-webmail-everything-after/][Taking e-mail back]]
+** [[https://jacobneplokh.com/how-to-setup-nextcloud-on-nixos][How to Setup Nextcloud on NixOS]]
 * Decisions
 ** Use external git repository as an encrypted database
 Terraform does have the support for "backends" where it can store =.tfstate= files.
@@ -56,6 +46,14 @@ All data stored on git is encrypted with [[https://www.agwa.name/projects/git-cr
 By taking advantage of the sourcehut ecosystem, it was easier to setup the access of the pipeline to the ad-hoc Terraform backend.
 
 I created a repository called [[https://git.sr.ht/~euandreh/vps-state/][=vps-state=]] to store the encrypted =.tfstate= and =.tfplan= files. During the CI run, the pipeline creates new a =.tfplan= file and commits it into =vps-state=, and after applying the plan it updates the =.tfstate= file and adds this change to =vps-state=.
+** Move external =vps-state= into =vps=
+I want to move the Terraform state into this repository, I don't like the inconsistency that having 2 repos create.
+
+If I move vps-state into vps, I'll have to remove the terraform steps from the pipeline: it can't commit to itself (as described above). This has an upside too: instead of automatically approving whatever plan Terraform creates, I review the plan before applying.
+
+It makes the deploying less automatic, but this removes the IP reputation email issue.
+
+This means that the Terraform provisioning should stay out of the CI and be run only locally.
 ** Configuration of =StrictHostKeyChecking=
 We have 3 cases where I'm pushing things to the server and I'm dealing with it differently:
 *** 1. Pushing updates to the =vps-state= repository
@@ -76,6 +74,8 @@ Instead, explicitly call =ansible-playbook= after =terraform apply= finished run
 This way we test the DNS A record -> Floating IP -> Droplet IP path. We can't do that inside Terraform declaration because the =local-exec= provisioning command runs before the =digitalocean_floating_ip_assignment= is created, and we can't create a cyclic dependency between the two resources.
 
 We could use the raw Droplet IP instead of the DNS A record, but I prefer calling it later in order to always test the full DNS resolution.
+* Questions
+** How to best handle IP changes when the server changes? How does this affect the email sending IP reputation?
 * Scrath
 https://federationtester.matrix.org/
 EteSync?
diff --git a/archive.org b/archive.org
index 4fa5993..368bb9f 100644
--- a/archive.org
+++ b/archive.org
@@ -393,3 +393,22 @@ The =file= package is imported in =shell.nix= but =~/.buildenv= is sourced befor
 CLOSED: [2020-08-02 dim. 20:38]
 - remove string interpolation in variable usages
 - use rich value types
+* Tasks - v3
+** DONE Fix Nextcloud 502 error
+CLOSED: [2020-08-05 mer. 06:59]
+** TODO Add borg backup to crontab
+** TODO Add missing =defaul= nginx vhost file
+** TODO Clean-up garbage backups from rsync.net
+** TODO Harden the server
+*** TODO [#C] [[https://www.reddit.com/r/selfhosted/comments/bw8hqq/top_3_measures_to_secure_your_virtual_private/][Top 3 measures to secure your Virtual Private Server? (VPS)]]
+*** TODO [#A] [[https://docs.nextcloud.com/server/stable/admin_manual/installation/harden_server.html][Nextcloud: Hardening and security guidance]]
+*** TODO [#A] [[https://ownyourbits.com/2017/03/25/nextcloud-a-security-analysis/][NextCloud, a security analysis]]
+*** TODO [#B] [[https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md][Check for HSTS header configuration]]
+** TODO README with setup instructions
+** TODO Fix =file: command not found= in CI
+The =file= package is imported in =shell.nix= but =~/.buildenv= is sourced before.
+** TODO Use =--pure= for =nix-shell= scripts
+** TODO Add volume to fstab
+Can I use Terraform form this?
+** TODO Use Guix instead of Ansible
+Or NixOps if not possible or feasible with Guix.