--- Tag: ["Server", "Security", "Privacy", "App", "Web", "Tools"] Date: 2021-09-19 DocType: "Server" Hierarchy: "NonRoot" Performance: CPU: 2Core RAM: 4GB Bandwidth: 4TB Speed: Characteristics: OS: Ubuntu 20.04 Domiciliation: NL IPv4: 41.216.181.11 Hostname: vm919620.desivps.com Host: DesiVPS SubDomain: tools Disk: Capa: 40GB Type: SSD UsedSpace: 31% TimeStamp: 2021-11-13 CollapseMetaTable: yes --- Parent:: [[mfxm Website Scope|mfxm.fr]], [[Privacy & Security]], [[@IT & Computer|IT & Computer]] --- ^Top   ```button name Edit Server parameters type command action MetaEdit: Run MetaEdit id EditMetaData ``` ^button-ToolsServerEdit ```button name Save type command action Save current file id Save ``` ^button-ToolsServerSave   # Tools server   ```ad-abstract title: Summary collapse: open Higher spec server to be set up with docker to host a variety of tools using containers. ```   ```toc style: number ```   ---   ### Server parameters [[#^Top|TOP]]   ```ad-quote title: Dashboard access [https://clients.desivps.com/clientarea.php](https://clients.desivps.com/clientarea.php) ```   ```ad-quote title: Address The service will be located under **[tools.mfxm.fr](https://tools.mfxm.fr)** . ```   ---   ### Services [[#^Top|TOP]]   ```ad-abstract title: Service description The Tools server will host a variety of tools in docker containers. Several services will aim to service all others and will be installed outside of docker containers. ```   #### Installed server dependencies [[#^Top|TOP]] ##### Docker ```ad-warning title: [[Configuring Docker|docker]] for non root users [[Configuring Docker|docker]] predominantly works for the root user. In order to let non-root users instruct Docker, users need to be added to the Docker group: `sudo usermod -aG docker (username)` Potentially, the Docker group needs to be defined: `sudo groupadd docker` ``` Currently running Docker containers ```ad-bug title: docker network ID: 3a4d267e8155e3ff957e15c86360de1431d177b2131455707bea99038f179481 IP: 17.27.37.x ```   ##### Caddy [[#^Top|TOP]] [[Configuring Caddy|caddy]] is the webserver of choice. Refer to the dedicated note for config and parametrisation. ```ad-bug title: authentication token LWERS4M7njDLiAJe5A6gkv9jRDabvnzBGyYk9vPr1F5dY0LMu47FSjB0v21BAE83rYTOksElzcYmioWA ```   ##### Security | Program name | Type | Description |----------------|------|------------- | **[[Configuring Fail2ban\|fail2ban]]** | Daemon | Blocks suspicious attempts to login | **unattended-upgrades** | Program | Enables automatic updates of installed programs and OS | **logwatch** | Daemon | Monitors activity on server and sends activity logs   ##### fail2ban [[#^Top|TOP]] Classic [[Configuring Fail2ban|fail2ban]] installation with a dedicated configuration: ```ad-command ~~~bash sudo nano /etc/fail2ban/jail.d/sshd.local ~~~ ``` With the following parameters: ```ad-code ~~~yaml [sshd] enabled = true port=2227 maxretry = 10 bantime = 1m ~~~ ```   Please refer to the [[Configuring Fail2ban|conf guide]] for a detailed description.   ##### Prometheus [[Configuring Prometheus|Prometheus]] is a monitoring tool for all types of programs and is based on 'structured log files' i.e. the `JSON` format. Please refer to the dedicated page to understand how [[Configuring Prometheus|Prometheus]] works. It needs to be paired with a visualisation software like Grafana to give its full potential.   **live since**: [[2022-03-17]]   ##### Postfix Mail Transfer Agent. Configuration is standard to allow for emails to be sent by programs / deamons / [[Nextcloud]] or others. Such a [[Configuring Postfix|system]] is required for every server to work correctly.   ##### Certbot [[#^Top|TOP]] Provides SSL certification from **Let's Encrypt**. Installation dependencies are different from Nginx and explained [here](https://linuxhint.com/secure-apache-lets-encrypt-ubuntu/)   ##### UFW Firewall management, see [[Configuring UFW|here]] for more details.   ##### Nodejs & Yarn JavaScript & JS package manager.   ---   #### Dedicated Server parameters [[#^Top|TOP]] | Service | Used value |---------|:---------: |   |   | **Network: [[Configuring Docker\|docker]] dedicated** | 17.27.37.x **IP: pw-manager** | 17.27.37.3 **IP: StandardNotes** | 172.22.0.1 **IP: Git** | 172.21.0.3 **IP: Git db** | 172.21.0.4 **IP: Wordle** | 17.27.37.5 **IP: FreshRSS** | 172.20.0.3 **IP: Pastebin** | 172.18.0.2   |   **Port: SSH** | 2227 **Port: SN** | 2700 **Port: Git server** | 8087 **Port: Git SSH** | 2227   ---   #### Password manager [[#^Top|TOP]] [Bitwarden](https://bitwarden.com) is a FOSS enabling self-hosting with a simple deployment through docker/docker-compose.   ##### Service parameters (pw-manager) ```ad-info title: service parameters **IP**: 17.27.37.3:80 **DockerID**: 970b6f4b6150fa03be24287ae29a065c06ff7ed91a3402f8184c8a9aafa5e94d **DockerName**: bitwarden_bitwarden_1 --- **Address**: https://pw-manager.mfxm.fr ```   ##### User management (pw-manager) ```ad-info title: Link [Admin panel](https://pw-manager.mfxm.fr/admin/) ``` The admin panel needs to be set up with an authentication token and is accessed with the token. User & key management is done from within this panel.   ---   #### Personal notes [[#^Top|TOP]] [StandardNotes](https://standardnotes.com) is a program enabling self-hosting with a server-side encryption.   ##### Service parameters (notes) ```ad-info title: service parameters **IP**: 172.22.0.1:2700 **DockerNames**: api-gateway, auth-worker, syncing-server-js-worker, auth, syncing-server-js, db, cache --- **Address**: https://st-notes.mfxm.fr ```   ##### Configuration (notes) 2 files are used to configure the service: ```ad-path ~/standalone/.env ``` ```ad-path ~/standalone/docker/auth.env ``` Docs can be found [here](https://docs.standardnotes.com/self-hosting/docker).   ##### Pro Subscription By selfhosting, access to a Pro subscription is granted. Just make sure each user is flagged as pro in the database: ```ad-command ~~~bash docker-compose exec db sh -c 'MYSQL_PWD=$MYSQL_ROOT_PASSWORD mysql $MYSQL_DATABASE' ~~~ ```   Once in the SQL dialogue daemon, rin: ```ad-command ~~~bash INSERT INTO user_roles (role_uuid , user_uuid) VALUES ( ( select uuid from roles where name="PRO_USER" order by version desc limit 1 ) ,( select uuid from users where email="" ) ) ON DUPLICATE KEY UPDATE role_uuid = VALUES(`role_uuid`); ~~~ ```   And finally: ```ad-command ~~~bash insert into user_subscriptions set uuid = UUID() , plan_name="PRO_PLAN" , ends_at = 8640000000000000, created_at = 0 , updated_at = 0,user_uuid= (select uuid from users where email="") , subscription_id=1; ~~~ ```   ##### User management (notes) No user management per se. .env file allows (or not) to restrict new registration.   ###### dBeaver [dBeaver](https://dbeaver.io) installed to view the database entries. ```ad-info title: Tutorial for setting up conmection [Tutorial](https://devimalplanet.com/how-to-dbeaver-remote-database-ssh) ``` Once in the tool, select the data to see and the 'data' pane to visualise the tables.   ##### StandardNotes extensions ```ad-info title: service parameters **Location**: ~/standardnotes-extensions **reverse-proxy**: ~/standardnotes-extensions/public --- **Address**: https://tools.mfxm.fr/extensions/index.json ```   StandardNotes has developped extensions to customise both the skin and editor of the app. It is a paying feature normally but can be self-hosted and free. One GitHub user is offering a [repo](https://github.com/iganeshk/standardnotes-extensions) for extensions that can be cloned and linked to the application. * **Configuration file** ```ad-command ~~~bash ~/standardnotes-extensions/.env ~~~ ``` * **Repository update** ```ad-command ~~~bash sudo python3 build_repo.py ~~~ ``` In the main folder.   ---   #### Git repository [[#^Top|TOP]] [Gitea](https://gitea.io) is a FOSS enabling self-hosting a Git instance similar to GitHub.   ##### Service parameters (git server) ```ad-info title: service parameters **IP**: 172.21.0.3 **Docker ID**: b6ec6f3843c3c9afe13215f73e0f8002475a145e33b0f0b555970b7f6f1ae38b **Docker Name**: gitea **Dedicated user**: git --- **Address**: https://git.mfxm.fr ```   ##### Service parameters (git db) ```ad-info title: service parameters **IP**: 172.21.0.2 **Docker ID**: a06fac3650f8f7dca29b022401a10f63d825283d762306501690e52ab9073d33 **Docker Name**: gitea_db_1 ```   ##### User management (git) [[#^Top|TOP]] User management has not been parametered to exclude new users but an admin panel exists to control and remove users under the admin login.   ##### Doc library (git) [Link](https://docs.gitea.io/en-us/command-line)   ##### Utilities ```ad-path title: Config file ~/gitea/gitea/gitea/conf/app.ini ```   ```ad-code title: email setup Gitea can work on internal mail points through: ~~~bash ENABLED = true FROM = (user addresss) USE_SENDMAIL = false HOST = (hostname):25 ~~~ ```   ---   #### News Aggregator [[#^Top|TOP]]   [FreshRSS](https://freshrss.org) is a News aggregator enabling to read and manage RSS feeds. It is open-source and self-hostable.   ##### Service parameters (News) ```ad-info title: service parameters **IP**: 172.20.0.3:80 **DockerNames**: freshrss-app **live since**: [[2022-03-18]] --- **Address**: https://news.mfxm.fr ```   ##### Configuration (News) Docker compose set-up. ```ad-path ~/freshrss ``` Docs can be found [here](https://github.com/freshrss/freshrss). In addition, FreshRSS offers the ability to install extensions relatively easily from within the Settings menu.   ---   #### Wordle [[#^Top|TOP]]   Wordle is a word game that has been bought by the New York Times.   ##### Service parameters (Wordle) ```ad-info title: service parameters **IP**: 17.27.37.5:80 **DockerNames**: Wordle **live since**: [[2022-02-11]] --- **Address**: https://wordle.mfxm.fr ```   ##### Configuration (Wordle) Docker compose set-up. ```ad-path ~/wordle ``` Docs can be found [here](https://hub.docker.com/r/modem7/wordle).   ---   #### Pastebin [[#^Top|TOP]]   Pastebin is a service to share code, text and files quickly among users or publicly.   ##### Service parameters (Pastebin) ```ad-info title: service parameters **IP**: 172.18.0.2:3001 **DockerNames**: server & client **live since**: [[2022-04-15]] --- **Address**: https://pastebin.mfxm.fr ```   ##### Configuration (Pastebin) Docker compose set-up. ```ad-path ~/Drift ``` Docs can be found [here](https://github.com/maxleiter/drift).   ---   #### Server-side Monitoring [[#^Top|TOP]] Refer to the [[Configuring Monit|monit section]] for further information on installation and configuration. List of monitored services: - System - SSH - [[Configuring Fail2ban|Fail2ban]] - cron - [[Configuring Postfix|Postfix]] - docker - Bitwarden - Mininote - Git - Git db   [[Configuring Telegram bots|Telegram bots]] are also being implemented to receive logs from logwatch & [[Configuring Monit|monit]].   ---   ### Utilities [[#^Top|TOP]]   #### Cert storage ```ad-path /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/ ```   ---   ### Pricing [[#^Top|TOP]]   Tools Server | One-off cost | Recurring subscription p.a. --------|---------------|:----------------------:

**Server hosting**

|   | *$60* ^ToolsServerCost   ---   ### Tasks & Further steps   - [ ] [[Server Tools]]: Backup server 🔁 every 6 months on the 1st Tuesday ⏳ 2022-10-04 📅 2022-10-04 - [x] [[Server Tools]]: Backup server 🔁 every 6 months on the 1st Tuesday ⏳ 2022-04-12 📅 2022-04-12 ✅ 2022-04-11 - [x] [[Server Tools]]: Backup server 🔁 every 6 months on the 1st Tuesday 📅 2021-10-14 ✅ 2022-01-08 - [x] [[Server Tools]]: Backup server 🔁 every 6 months on the 1st Tuesday ✅ 2021-10-13 - [x] Set-up landing page - [ ] [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Gitea & Health checks 🔁 every 4 months 📅 2022-06-18 - [ ] [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Bitwarden & Health checks 🔁 every 4 months 📅 2022-08-18 - [x] [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Bitwarden & Health checks 🔁 every 4 months 📅 2022-04-18 ✅ 2022-04-16 - [ ] [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Standard Notes & Health checks 🔁 every 4 months 📅 2022-05-18 [[#^Top|TOP]]