--- Tag: ["Server", "Security", "Privacy", "App", "Web"] Date: 2021-09-19 DocType: "Server" Hierarchy: "NonRoot" TimeStamp: 2021-09-24 CPU: 2Core RAM: 4GB StorageCapa: 40GB StorageType: SSD Bandwidth: 4TB Speed: OS: Ubuntu 20.04 Domiciliation: NL IPv4: 41.216.181.11 Hostname: vm919620.desivps.com Host: DesiVPS SubDomain: tools UsedDiskSpace: 17% --- Parent:: [[mfxm Website Scope|mfxm.fr]] --- ```button name Edit Server parameters type command action MetaEdit: Run MetaEdit id EditMetaData ``` ^button-ToolsServerEdit ```button name Save type command action Save current file id Save ``` ^button-ToolsServerSave # Tools server ```ad-abstract title: Summary collapse: open Higher spec server to be set up with docker to host a variety of tools using containers. ``` ```toc style: number ``` --- ### Server parameters ```ad-quote title: Dashboard access [https://clients.desivps.com/clientarea.php](https://clients.desivps.com/clientarea.php) ``` ```ad-quote title: Address The service will be located under **[tools.mfxm.fr](https://tools.mfxm.fr)** . ``` --- ### Services ```ad-abstract title: Service description The Tools server will host a variety of tools in docker containers. Several services will aim to service all others and will be installed outside of docker containers. ``` #### Installed server dependencies ##### Docker ```ad-warning title: [[Docker config|docker]] for non root users [[Docker config|docker]] predominantly works for the root user. In order to let non-root users instruct Docker, users need to be added to the Docker group: `sudo usermod -aG docker (username)` Potentially, the Docker group needs to be defined: `sudo groupadd docker` ``` Currently running Docker containers ```ad-bug title: sl-network ID: 3a4d267e8155e3ff957e15c86360de1431d177b2131455707bea99038f179481 IP: 17.27.37.x ``` ##### Caddy [[Caddy config|caddy]] is the webserver of choice. Refer to the dedicated note for config and parametrisation. ```ad-bug title: authentication token LWERS4M7njDLiAJe5A6gkv9jRDabvnzBGyYk9vPr1F5dY0LMu47FSjB0v21BAE83rYTOksElzcYmioWA ``` ##### Security | Program name | Type | Description |----------------|------|------------- | **fail2ban** | Daemon | Blocks suspicious attempts to login | **unattended-upgrades** | Program | Enables automatic updates of installed programs and OS | **logwatch** | Daemon | Monitors activity on server and sends activity logs ##### fail2ban Classic installation with a dedicated configuration: `sudo nano /etc/fail2ban/jail.d/sshd.local` With the following parameters: >[sshd] >enabled = true >port=2227 >maxretry = 10 >bantime = 1m ##### Postfix Mail Transfer Agent. Configuration is standard to allow for emails to be sent by programs / deamons / [[Nextcloud]] or others. Such a [[Postfix config|system]] is required for every server to work correctly. ##### Certbot Provides SSL certification from **Let's Encrypt**. Installation dependencies are different from Nginx and explained [here](https://linuxhint.com/secure-apache-lets-encrypt-ubuntu/) ##### UFW Firewall management. ##### Nodejs & Yarn JavaScript & JS package manager. --- #### Dedicated Server parameters | Service | Used value |---------|:---------: **Internal docker network** | 17.27.37.x **Port: SSH** | 2227 **Port: Git server** | 8087 **Port: Git SSH** | 2228 --- #### Password manager [Bitwarden](https://bitwarden.com) is a FOSS enabling self-hosting with a simple deployment through docker/docker-compose. ##### Service parameters (pw-manager) ```ad-info title: service parameters **IP**: 17.27.37.3:80 **Docker ID**: 970b6f4b6150fa03be24287ae29a065c06ff7ed91a3402f8184c8a9aafa5e94d **Docker Name**: bitwarden_bitwarden_1 --- **Address**: https://pw-manager.mfxm.fr ``` ##### User management (pw-manager) ```ad-info title: Link [Admin panel](https://pw-manager.mfxm.fr) ``` The admin panel needs to be set up with an authentication token and is accessed with the token. User & key management is done from within this panel. --- #### Personal notes [MiniNote](https://github.com/muety/mininote) is a FOSS enabling self-hosting with a server-side encryption. ##### Service parameters (notes) ```ad-info title: service parameters **IP**: 17.27.37.7:3000 **Docker ID**: 73d91d338b533c05a4ad15968efb0470e924f780d016fab13c98f8f1dc3820af **Docker Name**: mininote_mininote_1 --- **Address**: https://notes.mfxm.fr ``` ##### User management (notes) No user management per se. [[Caddy config|Caddy]] provides with a layer of authentication to restrict users to access the full service. --- #### Git repository [Gitea](https://gitea.io) is a FOSS enabling self-hosting a Git instance similar to GitHub. ##### Service parameters (git server) ```ad-info title: service parameters **IP**: 172.21.0.3 **Docker ID**: b6ec6f3843c3c9afe13215f73e0f8002475a145e33b0f0b555970b7f6f1ae38b **Docker Name**: gitea **Dedicated user**: git --- **Address**: https://git.mfxm.fr ``` ##### Service parameters (git db) ```ad-info title: service parameters **IP**: 172.21.0.2 **Docker ID**: a06fac3650f8f7dca29b022401a10f63d825283d762306501690e52ab9073d33 **Docker Name**: gitea_db_1 ``` ##### User management (git) User management has not been parametered to exclude new users but an admin panel exists to control and remove users under the admin login. ##### Doc library (git) [Link](https://docs.gitea.io/en-us/command-line) ##### Utilities ```ad-bug title: Config file ~/gitea/gitea/gitea/conf/app.ini ``` ```ad-bug title: email setup Gitea can work on internal mail points through: >ENABLED = true >FROM = (user addresss) >USE_SENDMAIL = false >HOST = (hostname):25 ``` --- #### Server-side Monitoring Refer to the [[Monit config|monit section]] for further information on installation and configuration. List of monitored services: - System - SSH - Fail2ban - cron - Postfix - docker - Bitwarden - Mininote - Git - Git db --- ### Utilities #### Cert storage `/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/` --- ### Pricing Tools Server | One-off cost | Recurring subscription p.a. --------|---------------|:----------------------:
**Server hosting**
| | *$60* ^ToolsServerCost --- ### Tasks & Further steps - [ ] [[Tools Server]]: Backup server 🔁 every 6 months on the 1st Tuesday - [x] Set-up landing page