|
|
---
|
|
|
|
|
|
Tag: ["🖥️", "🛡️", "🕵🏼", "📲", "🌐", "🛠️"]
|
|
|
Date: 2021-09-19
|
|
|
DocType: "Server"
|
|
|
Hierarchy: "NonRoot"
|
|
|
location: [52.3790565, 4.8981734]
|
|
|
Performance:
|
|
|
CPU: 2Core
|
|
|
RAM: 6GB
|
|
|
Bandwidth: 3TB
|
|
|
Speed:
|
|
|
Characteristics:
|
|
|
OS: Ubuntu 20.04
|
|
|
Domiciliation: NL
|
|
|
IPv4: 194.5.97.163
|
|
|
Hostname:
|
|
|
Host: "Web Horizon"
|
|
|
SubDomain: tools
|
|
|
Disk:
|
|
|
Capa: 90GB
|
|
|
Type: SSD
|
|
|
UsedSpace: 7%
|
|
|
TimeStamp: 2023-03-02
|
|
|
CollapseMetaTable: true
|
|
|
|
|
|
---
|
|
|
|
|
|
Parent:: [[mfxm Website Scope|mfxm.fr]], [[Privacy & Security]], [[@IT & Computer|IT & Computer]]
|
|
|
|
|
|
---
|
|
|
|
|
|
 
|
|
|
|
|
|
```button
|
|
|
name Edit Server parameters
|
|
|
type command
|
|
|
action MetaEdit: Run MetaEdit
|
|
|
id EditMetaData
|
|
|
```
|
|
|
^button-ToolsServerEdit
|
|
|
|
|
|
```button
|
|
|
name Save
|
|
|
type command
|
|
|
action Save current file
|
|
|
id Save
|
|
|
```
|
|
|
^button-ToolsServerSave
|
|
|
|
|
|
 
|
|
|
|
|
|
# Tools server
|
|
|
|
|
|
 
|
|
|
|
|
|
```ad-abstract
|
|
|
title: Summary
|
|
|
collapse: open
|
|
|
Higher spec server to be set up with docker to host a variety of tools using containers.
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
```toc
|
|
|
style: number
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
---
|
|
|
|
|
|
 
|
|
|
|
|
|
### Server parameters
|
|
|
|
|
|
 
|
|
|
|
|
|
```ad-quote
|
|
|
title: Dashboard access
|
|
|
[Espace clients](https://clients.webhorizon.net/)
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
```ad-quote
|
|
|
title: Address
|
|
|
The service will be located under **[tools.mfxm.fr](https://tools.mfxm.fr)** .
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
---
|
|
|
|
|
|
 
|
|
|
|
|
|
### Services
|
|
|
|
|
|
 
|
|
|
|
|
|
```ad-abstract
|
|
|
title: Service description
|
|
|
The Tools server will host a variety of tools in docker containers. Several services will aim to service all others and will be installed outside of docker containers.
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
#### Installed server dependencies
|
|
|
|
|
|
##### Docker
|
|
|
|
|
|
```ad-warning
|
|
|
title: [[Configuring Docker|docker]] for non root users
|
|
|
[[Configuring Docker|docker]] predominantly works for the root user. In order to let non-root users instruct Docker, users need to be added to the Docker group:
|
|
|
|
|
|
`sudo usermod -aG docker (username)`
|
|
|
|
|
|
Potentially, the Docker group needs to be defined:
|
|
|
|
|
|
`sudo groupadd docker`
|
|
|
```
|
|
|
|
|
|
Currently running Docker containers
|
|
|
|
|
|
```ad-bug
|
|
|
title: docker network
|
|
|
ID: 3a4d267e8155e3ff957e15c86360de1431d177b2131455707bea99038f179481
|
|
|
IP: 17.27.37.x
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
##### Caddy
|
|
|
|
|
|
[[Configuring Caddy|caddy]] is the webserver of choice. Refer to the dedicated note for config and parametrisation.
|
|
|
|
|
|
```ad-bug
|
|
|
title: authentication token
|
|
|
LWERS4M7njDLiAJe5A6gkv9jRDabvnzBGyYk9vPr1F5dY0LMu47FSjB0v21BAE83rYTOksElzcYmioWA
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
##### Security
|
|
|
|
|
|
| Program name | Type | Description
|
|
|
|----------------|------|-------------
|
|
|
| **[[Configuring Fail2ban\|fail2ban]]** | Daemon | Blocks suspicious attempts to login
|
|
|
| **unattended-upgrades** | Program | Enables automatic updates of installed programs and OS
|
|
|
| **logwatch** | Daemon | Monitors activity on server and sends activity logs
|
|
|
|
|
|
 
|
|
|
|
|
|
##### fail2ban
|
|
|
|
|
|
Classic [[Configuring Fail2ban|fail2ban]] installation with a dedicated configuration:
|
|
|
|
|
|
```ad-command
|
|
|
~~~bash
|
|
|
sudo nano /etc/fail2ban/jail.d/sshd.local
|
|
|
~~~
|
|
|
```
|
|
|
|
|
|
With the following parameters:
|
|
|
|
|
|
```ad-code
|
|
|
~~~yaml
|
|
|
[sshd]
|
|
|
enabled = true
|
|
|
port=2227
|
|
|
maxretry = 10
|
|
|
bantime = 1m
|
|
|
~~~
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
Please refer to the [[Configuring Fail2ban|conf guide]] for a detailed description.
|
|
|
|
|
|
 
|
|
|
|
|
|
##### Postfix
|
|
|
|
|
|
Mail Transfer Agent. Configuration is standard to allow for emails to be sent by programs / deamons / [[Nextcloud]] or others. Such a [[Configuring Postfix|system]] is required for every server to work correctly.
|
|
|
|
|
|
 
|
|
|
|
|
|
##### Certbot
|
|
|
[[#^Top|TOP]]
|
|
|
Provides SSL certification from **Let's Encrypt**. Installation dependencies are different from Nginx and explained [here](https://linuxhint.com/secure-apache-lets-encrypt-ubuntu/)
|
|
|
|
|
|
 
|
|
|
|
|
|
##### UFW
|
|
|
|
|
|
Firewall management, see [[Configuring UFW|here]] for more details.
|
|
|
|
|
|
 
|
|
|
|
|
|
##### JQ
|
|
|
|
|
|
`jq` is a small Linux utility that helps parse `json` files. It is helpful to read [[Configuring Caddy|caddy]]‘s logs.
|
|
|
|
|
|
 
|
|
|
|
|
|
---
|
|
|
|
|
|
 
|
|
|
|
|
|
#### Dedicated Server parameters
|
|
|
[[#^Top|TOP]]
|
|
|
|
|
|
| Service | Used value
|
|
|
|---------|:---------:
|
|
|
|   |  
|
|
|
| **Network: [[Configuring Docker\|docker]] dedicated** | 17.27.37.x
|
|
|
**IP: pw-manager** | 172.18.0.2
|
|
|
**IP: Git** | 172.21.0.3
|
|
|
**IP: Git db** | 172.21.0.4
|
|
|
**IP: Wordle** | 172.23.0.2
|
|
|
**IP: FreshRSS** | 172.22.0.3
|
|
|
**IP: Baikal** | 172.25.0.2
|
|
|
**IP: Uptime Kuma** | 172.26.0.2
|
|
|
  |  
|
|
|
**Port: SSH** | 7247
|
|
|
**Port: Git server** | 8087
|
|
|
**Port: Git SSH** | 22
|
|
|
|
|
|
 
|
|
|
|
|
|
---
|
|
|
|
|
|
 
|
|
|
|
|
|
#### Password manager
|
|
|
|
|
|
[Bitwarden](https://bitwarden.com) is a FOSS enabling self-hosting with a simple deployment through docker/docker-compose thanks to a clone called Vaultwarden.
|
|
|
|
|
|
 
|
|
|
|
|
|
##### Service parameters (pw-manager)
|
|
|
|
|
|
```ad-info
|
|
|
title: service parameters
|
|
|
**IP**: 172.18.0.2:80
|
|
|
**DockerID**: 0ae422b57ee3739e8a21c961ee5609b93c72504b1dbab8766cce3f98aedd1213
|
|
|
**DockerName**: vaultwarden
|
|
|
---
|
|
|
**Address**: https://pw-manager.mfxm.fr
|
|
|
```
|
|
|
|
|
|
Up since [[2023-03-03|3rd March 2023]]
|
|
|
|
|
|
 
|
|
|
|
|
|
##### User management (pw-manager)
|
|
|
|
|
|
```ad-info
|
|
|
title: Link
|
|
|
[Admin panel](https://pw-manager.mfxm.fr/admin/)
|
|
|
```
|
|
|
|
|
|
The admin panel needs to be set up with an authentication token and is accessed with the token. User & key management is done from within this panel.
|
|
|
|
|
|
 
|
|
|
|
|
|
---
|
|
|
|
|
|
 
|
|
|
|
|
|
#### Git repository
|
|
|
|
|
|
[Gitea](https://gitea.io) is a FOSS enabling self-hosting a Git instance similar to GitHub.
|
|
|
|
|
|
 
|
|
|
|
|
|
##### Service parameters (git server)
|
|
|
|
|
|
```ad-info
|
|
|
title: service parameters
|
|
|
**IP**: 172.21.0.3:3000
|
|
|
**Docker ID**: 670b46f834ab0e73b0183dd1c488ae9dbb1d39673695948391dd1a71263e0090
|
|
|
**Docker Name**: gitea
|
|
|
**Dedicated user**: git
|
|
|
|
|
|
---
|
|
|
|
|
|
**Address**: https://git.mfxm.fr
|
|
|
```
|
|
|
|
|
|
Up since [[2023-03-04|4th March 2023]].
|
|
|
|
|
|
 
|
|
|
|
|
|
##### Service parameters (git db)
|
|
|
|
|
|
```ad-info
|
|
|
title: service parameters
|
|
|
**IP**: 172.21.0.2
|
|
|
**Docker ID**: d28c38ea916e8a9554979ad31a1425bd081e20878faa08ba5ac137bfe357fa7a
|
|
|
**Docker Name**: gitea-db-1
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
##### User management (git)
|
|
|
|
|
|
User management has not been parametered to exclude new users but an admin panel exists to control and remove users under the admin login.
|
|
|
|
|
|
 
|
|
|
|
|
|
##### Doc library (git)
|
|
|
|
|
|
[Link](https://docs.gitea.io/en-us/command-line)
|
|
|
|
|
|
 
|
|
|
|
|
|
##### Utilities
|
|
|
|
|
|
```ad-path
|
|
|
title: Config file
|
|
|
~/gitea/gitea/gitea/conf/app.ini
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
```ad-code
|
|
|
title: email setup
|
|
|
Gitea can work on internal mail points through:
|
|
|
~~~bash
|
|
|
ENABLED = true
|
|
|
FROM = (user addresss)
|
|
|
USE_SENDMAIL = false
|
|
|
HOST = (hostname):25
|
|
|
~~~
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
---
|
|
|
|
|
|
 
|
|
|
|
|
|
#### News Aggregator
|
|
|
|
|
|
 
|
|
|
|
|
|
[FreshRSS](https://freshrss.org) is a News aggregator enabling to read and manage RSS feeds.
|
|
|
It is open-source and self-hostable.
|
|
|
|
|
|
 
|
|
|
|
|
|
##### Service parameters (News Server)
|
|
|
|
|
|
```ad-info
|
|
|
title: service parameters
|
|
|
**IP**: 172.22.0.3:80
|
|
|
**DockerNames**: freshrss-app
|
|
|
**Docker ID**: 9570cdc893c5277721c6e5da77af224ee312b233c618330a3f59616cbf17052b
|
|
|
**live since**: [[2023-03-05]]
|
|
|
|
|
|
---
|
|
|
|
|
|
**Address**: https://news.mfxm.fr
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
##### Service parameters (News db)
|
|
|
|
|
|
```ad-info
|
|
|
title: service parameters
|
|
|
**IP**: 172.22.0.2
|
|
|
**Docker ID**: d28c38ea916e8a9554979ad31a1425bd081e20878faa08ba5ac137bfe357fa7a
|
|
|
**Docker Name**: freshrss-db
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
##### Configuration (News)
|
|
|
|
|
|
Docker compose set-up.
|
|
|
|
|
|
```ad-path
|
|
|
~/freshrss
|
|
|
```
|
|
|
|
|
|
Docs can be found [here](https://github.com/freshrss/freshrss).
|
|
|
In addition, FreshRSS offers the ability to install extensions relatively easily from within the Settings menu.
|
|
|
|
|
|
 
|
|
|
|
|
|
---
|
|
|
|
|
|
 
|
|
|
|
|
|
#### Contacts server
|
|
|
|
|
|
 
|
|
|
|
|
|
[Baikal](https://sabre.io/baikal/) is a lightweight CardDAV and CalDAV server that is compatible with all main clients including iOS’ native system.
|
|
|
Docs can be found [here](https://sabre.io/dav/).
|
|
|
|
|
|
 
|
|
|
|
|
|
```ad-info
|
|
|
title: service parameters
|
|
|
**IP**: 172.25.0.2:80
|
|
|
**DockerNames**: baikal-baikal-1
|
|
|
**Docker ID**: bea530530b5dcc0de401793726408172e977f9faf80b9709ed61cae90cc33317
|
|
|
**live since**: [[2023-03-05]]
|
|
|
|
|
|
---
|
|
|
|
|
|
**Address**: https://contacts.mfxm.fr
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
---
|
|
|
|
|
|
 
|
|
|
|
|
|
#### Uptime manager
|
|
|
|
|
|
 
|
|
|
|
|
|
[Uptime Kuma](https://uptime.kuma.pet/) is a modern utility to monitor the uptime of services and receive alerts.
|
|
|
It can be paired with [[Configuring Telegram bots|Telegram]], Signal or other types of message delivery systems.
|
|
|
|
|
|
 
|
|
|
|
|
|
```ad-info
|
|
|
title: service parameters
|
|
|
**IP**: 172.26.0.2:3001
|
|
|
**DockerNames**: uptime-kuma
|
|
|
**Docker ID**: 995ba675785e2618bed8a2d125b0bfe7d8eef4d4e3e5cabc35843a1378d8b411
|
|
|
**live since**: [[2023-03-07]]
|
|
|
|
|
|
---
|
|
|
|
|
|
**Address**: https://status.mfxm.fr
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
---
|
|
|
|
|
|
 
|
|
|
|
|
|
#### Automation
|
|
|
|
|
|
 
|
|
|
|
|
|
[Change detection](https://changedetection.io/) is a modern utility to monitor the changes in websites.
|
|
|
It can be paired with [[Configuring Telegram bots|Telegram]], Signal or other types of message delivery systems.
|
|
|
|
|
|
 
|
|
|
|
|
|
```ad-info
|
|
|
title: service parameters
|
|
|
**IP**: 172.27.0.2:5000
|
|
|
**DockerNames**: changedetection
|
|
|
**Docker ID**: 852906e618865b8f3862a327217e0542fc90feffa892ae33b1635d73b211df27
|
|
|
**live since**: [[2023-03-09]]
|
|
|
|
|
|
---
|
|
|
|
|
|
**Address**: https://automat.mfxm.fr
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
---
|
|
|
|
|
|
 
|
|
|
|
|
|
#### Wordle
|
|
|
|
|
|
 
|
|
|
|
|
|
Wordle is a word game that has been bought by the New York Times.
|
|
|
|
|
|
 
|
|
|
|
|
|
##### Service parameters (Wordle)
|
|
|
|
|
|
```ad-info
|
|
|
title: service parameters
|
|
|
**IP**: 172.23.0.2:80
|
|
|
**DockerNames**: Wordle
|
|
|
**Docker ID**: 694fef02c9a5332d8a862275d865e8af959d4dacdd4a888316240f3d49c40cde
|
|
|
**live since**: [[2023-03-05]]
|
|
|
|
|
|
---
|
|
|
**Address**: https://wordle.mfxm.fr
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
##### Configuration (Wordle)
|
|
|
|
|
|
Docker compose set-up.
|
|
|
|
|
|
```ad-path
|
|
|
~/wordle
|
|
|
```
|
|
|
|
|
|
Docs can be found [here](https://hub.docker.com/r/modem7/wordle).
|
|
|
|
|
|
 
|
|
|
|
|
|
---
|
|
|
|
|
|
 
|
|
|
|
|
|
#### Server-side Monitoring
|
|
|
|
|
|
Refer to the [[Configuring Monit|monit section]] for further information on installation and configuration.
|
|
|
|
|
|
List of monitored services:
|
|
|
- System
|
|
|
- SSH
|
|
|
- [[Configuring Fail2ban|Fail2ban]]
|
|
|
- cron
|
|
|
- [[Configuring Postfix|Postfix]]
|
|
|
- docker
|
|
|
- Bitwarden
|
|
|
- Mininote
|
|
|
- Git
|
|
|
- Git db
|
|
|
|
|
|
 
|
|
|
|
|
|
[[Configuring Telegram bots|Telegram bots]] are also being implemented to receive logs from logwatch & [[Configuring Monit|monit]].
|
|
|
|
|
|
 
|
|
|
|
|
|
---
|
|
|
|
|
|
 
|
|
|
|
|
|
### Utilities
|
|
|
|
|
|
 
|
|
|
|
|
|
#### Cert storage
|
|
|
|
|
|
```ad-path
|
|
|
/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/
|
|
|
```
|
|
|
|
|
|
 
|
|
|
|
|
|
---
|
|
|
|
|
|
 
|
|
|
|
|
|
### Pricing
|
|
|
|
|
|
 
|
|
|
|
|
|
<mark class="green">Tools Server</mark> | One-off cost | Recurring subscription p.a.
|
|
|
--------|---------------|:----------------------:
|
|
|
<p style="color:cyan">**Server hosting**</p> |   | *$120*
|
|
|
^ToolsServerCost
|
|
|
|
|
|
 
|
|
|
|
|
|
---
|
|
|
|
|
|
 
|
|
|
|
|
|
### Tasks & Further steps
|
|
|
|
|
|
 
|
|
|
|
|
|
- [ ] :hammer_and_wrench: [[Server Tools]]: Backup server %%done_del%% 🔁 every 6 months on the 1st Tuesday ⏳ 2024-10-01 📅 2024-10-01
|
|
|
- [x] Set-up landing page
|
|
|
- [ ] :desktop_computer: [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Gitea & Health checks %%done_del%% 🔁 every 4 months 📅 2024-10-18
|
|
|
- [x] :desktop_computer: [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Gitea & Health checks %%done_del%% 🔁 every 4 months 📅 2024-06-18 ✅ 2024-06-18
|
|
|
- [ ] :closed_lock_with_key: [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Bitwarden & Health checks %%done_del%% 🔁 every 4 months 📅 2024-12-17
|
|
|
- [x] :closed_lock_with_key: [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Bitwarden & Health checks %%done_del%% 🔁 every 4 months 📅 2024-08-17 ✅ 2024-08-17
|
|
|
|
|
|
|
|
|
 
|
|
|
  |