You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

587 lines
11 KiB

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

---
Tag: ["🖥️", "🛡️", "🕵🏼", "📲", "🌐", "🛠️"]
Date: 2021-09-19
DocType: "Server"
Hierarchy: "NonRoot"
location: [52.3790565, 4.8981734]
Performance:
CPU: 2Core
RAM: 6GB
Bandwidth: 3TB
Speed:
Characteristics:
OS: Ubuntu 20.04
Domiciliation: NL
IPv4: 194.5.97.163
Hostname:
Host: "Web Horizon"
SubDomain: tools
Disk:
Capa: 90GB
Type: SSD
UsedSpace: 7%
TimeStamp: 2023-03-02
CollapseMetaTable: true
---
Parent:: [[mfxm Website Scope|mfxm.fr]], [[Privacy & Security]], [[@IT & Computer|IT & Computer]]
---
 
```button
name Edit Server parameters
type command
action MetaEdit: Run MetaEdit
id EditMetaData
```
^button-ToolsServerEdit
```button
name Save
type command
action Save current file
id Save
```
^button-ToolsServerSave
 
# Tools server
 
```ad-abstract
title: Summary
collapse: open
Higher spec server to be set up with docker to host a variety of tools using containers.
```
 
```toc
style: number
```
 
---
 
### Server parameters
 
```ad-quote
title: Dashboard access
[Espace clients](https://clients.webhorizon.net/)
```
 
```ad-quote
title: Address
The service will be located under **[tools.mfxm.fr](https://tools.mfxm.fr)** .
```
 
---
 
### Services
 
```ad-abstract
title: Service description
The Tools server will host a variety of tools in docker containers. Several services will aim to service all others and will be installed outside of docker containers.
```
 
#### Installed server dependencies
##### Docker
```ad-warning
title: [[Configuring Docker|docker]] for non root users
[[Configuring Docker|docker]] predominantly works for the root user. In order to let non-root users instruct Docker, users need to be added to the Docker group:
`sudo usermod -aG docker (username)`
Potentially, the Docker group needs to be defined:
`sudo groupadd docker`
```
Currently running Docker containers
```ad-bug
title: docker network
ID: 3a4d267e8155e3ff957e15c86360de1431d177b2131455707bea99038f179481
IP: 17.27.37.x
```
 
##### Caddy
[[Configuring Caddy|caddy]] is the webserver of choice. Refer to the dedicated note for config and parametrisation.
```ad-bug
title: authentication token
LWERS4M7njDLiAJe5A6gkv9jRDabvnzBGyYk9vPr1F5dY0LMu47FSjB0v21BAE83rYTOksElzcYmioWA
```
 
##### Security
| Program name | Type | Description
|----------------|------|-------------
| **[[Configuring Fail2ban\|fail2ban]]** | Daemon | Blocks suspicious attempts to login
| **unattended-upgrades** | Program | Enables automatic updates of installed programs and OS
| **logwatch** | Daemon | Monitors activity on server and sends activity logs
 
##### fail2ban
Classic [[Configuring Fail2ban|fail2ban]] installation with a dedicated configuration:
```ad-command
~~~bash
sudo nano /etc/fail2ban/jail.d/sshd.local
~~~
```
With the following parameters:
```ad-code
~~~yaml
[sshd]
enabled = true
port=2227
maxretry = 10
bantime = 1m
~~~
```
 
Please refer to the [[Configuring Fail2ban|conf guide]] for a detailed description.
 
##### Postfix
Mail Transfer Agent. Configuration is standard to allow for emails to be sent by programs / deamons / [[Nextcloud]] or others. Such a [[Configuring Postfix|system]] is required for every server to work correctly.
 
##### Certbot
[[#^Top|TOP]]
Provides SSL certification from **Let's Encrypt**. Installation dependencies are different from Nginx and explained [here](https://linuxhint.com/secure-apache-lets-encrypt-ubuntu/)
 
##### UFW
Firewall management, see [[Configuring UFW|here]] for more details.
 
##### JQ
`jq` is a small Linux utility that helps parse `json` files. It is helpful to read [[Configuring Caddy|caddy]]s logs.
 
---
 
#### Dedicated Server parameters
[[#^Top|TOP]]
| Service | Used value
|---------|:---------:
|   |  
| **Network: [[Configuring Docker\|docker]] dedicated** | 17.27.37.x
**IP: pw-manager** | 172.18.0.2
**IP: Git** | 172.21.0.3
**IP: Git db** | 172.21.0.4
**IP: Wordle** | 172.23.0.2
**IP: FreshRSS** | 172.22.0.3
**IP: Baikal** | 172.25.0.2
**IP: Uptime Kuma** | 172.26.0.2
  |  
**Port: SSH** | 7247
**Port: Git server** | 8087
**Port: Git SSH** | 22
 
---
 
#### Password manager
[Bitwarden](https://bitwarden.com) is a FOSS enabling self-hosting with a simple deployment through docker/docker-compose thanks to a clone called Vaultwarden.
 
##### Service parameters (pw-manager)
```ad-info
title: service parameters
**IP**: 172.18.0.2:80
**DockerID**: 0ae422b57ee3739e8a21c961ee5609b93c72504b1dbab8766cce3f98aedd1213
**DockerName**: vaultwarden
---
**Address**: https://pw-manager.mfxm.fr
```
Up since [[2023-03-03|3rd March 2023]]
 
##### User management (pw-manager)
```ad-info
title: Link
[Admin panel](https://pw-manager.mfxm.fr/admin/)
```
The admin panel needs to be set up with an authentication token and is accessed with the token. User & key management is done from within this panel.
 
---
 
#### Git repository
[Gitea](https://gitea.io) is a FOSS enabling self-hosting a Git instance similar to GitHub.
 
##### Service parameters (git server)
```ad-info
title: service parameters
**IP**: 172.21.0.3:3000
**Docker ID**: 670b46f834ab0e73b0183dd1c488ae9dbb1d39673695948391dd1a71263e0090
**Docker Name**: gitea
**Dedicated user**: git
---
**Address**: https://git.mfxm.fr
```
Up since [[2023-03-04|4th March 2023]].
 
##### Service parameters (git db)
```ad-info
title: service parameters
**IP**: 172.21.0.2
**Docker ID**: d28c38ea916e8a9554979ad31a1425bd081e20878faa08ba5ac137bfe357fa7a
**Docker Name**: gitea-db-1
```
 
##### User management (git)
User management has not been parametered to exclude new users but an admin panel exists to control and remove users under the admin login.
 
##### Doc library (git)
[Link](https://docs.gitea.io/en-us/command-line)
 
##### Utilities
```ad-path
title: Config file
~/gitea/gitea/gitea/conf/app.ini
```
 
```ad-code
title: email setup
Gitea can work on internal mail points through:
~~~bash
ENABLED = true
FROM = (user addresss)
USE_SENDMAIL = false
HOST = (hostname):25
~~~
```
 
---
 
#### News Aggregator
 
[FreshRSS](https://freshrss.org) is a News aggregator enabling to read and manage RSS feeds.
It is open-source and self-hostable.
 
##### Service parameters (News Server)
```ad-info
title: service parameters
**IP**: 172.22.0.3:80
**DockerNames**: freshrss-app
**Docker ID**: 9570cdc893c5277721c6e5da77af224ee312b233c618330a3f59616cbf17052b
**live since**: [[2023-03-05]]
---
**Address**: https://news.mfxm.fr
```
 
##### Service parameters (News db)
```ad-info
title: service parameters
**IP**: 172.22.0.2
**Docker ID**: d28c38ea916e8a9554979ad31a1425bd081e20878faa08ba5ac137bfe357fa7a
**Docker Name**: freshrss-db
```
 
##### Configuration (News)
Docker compose set-up.
```ad-path
~/freshrss
```
Docs can be found [here](https://github.com/freshrss/freshrss).
In addition, FreshRSS offers the ability to install extensions relatively easily from within the Settings menu.
 
---
 
#### Contacts server
 
[Baikal](https://sabre.io/baikal/) is a lightweight CardDAV and CalDAV server that is compatible with all main clients including iOS native system.
Docs can be found [here](https://sabre.io/dav/).
 
```ad-info
title: service parameters
**IP**: 172.25.0.2:80
**DockerNames**: baikal-baikal-1
**Docker ID**: bea530530b5dcc0de401793726408172e977f9faf80b9709ed61cae90cc33317
**live since**: [[2023-03-05]]
---
**Address**: https://contacts.mfxm.fr
```
 
---
 
#### Uptime manager
 
[Uptime Kuma](https://uptime.kuma.pet/) is a modern utility to monitor the uptime of services and receive alerts.
It can be paired with [[Configuring Telegram bots|Telegram]], Signal or other types of message delivery systems.
 
```ad-info
title: service parameters
**IP**: 172.26.0.2:3001
**DockerNames**: uptime-kuma
**Docker ID**: 995ba675785e2618bed8a2d125b0bfe7d8eef4d4e3e5cabc35843a1378d8b411
**live since**: [[2023-03-07]]
---
**Address**: https://status.mfxm.fr
```
 
---
 
#### Automation
 
[Change detection](https://changedetection.io/) is a modern utility to monitor the changes in websites.
It can be paired with [[Configuring Telegram bots|Telegram]], Signal or other types of message delivery systems.
 
```ad-info
title: service parameters
**IP**: 172.27.0.2:5000
**DockerNames**: changedetection
**Docker ID**: 852906e618865b8f3862a327217e0542fc90feffa892ae33b1635d73b211df27
**live since**: [[2023-03-09]]
---
**Address**: https://automat.mfxm.fr
```
 
---
 
#### Wordle
 
Wordle is a word game that has been bought by the New York Times.
 
##### Service parameters (Wordle)
```ad-info
title: service parameters
**IP**: 172.23.0.2:80
**DockerNames**: Wordle
**Docker ID**: 694fef02c9a5332d8a862275d865e8af959d4dacdd4a888316240f3d49c40cde
**live since**: [[2023-03-05]]
---
**Address**: https://wordle.mfxm.fr
```
 
##### Configuration (Wordle)
Docker compose set-up.
```ad-path
~/wordle
```
Docs can be found [here](https://hub.docker.com/r/modem7/wordle).
 
---
 
#### Server-side Monitoring
Refer to the [[Configuring Monit|monit section]] for further information on installation and configuration.
List of monitored services:
- System
- SSH
- [[Configuring Fail2ban|Fail2ban]]
- cron
- [[Configuring Postfix|Postfix]]
- docker
- Bitwarden
- Mininote
- Git
- Git db
 
[[Configuring Telegram bots|Telegram bots]] are also being implemented to receive logs from logwatch & [[Configuring Monit|monit]].
 
---
 
### Utilities
 
#### Cert storage
```ad-path
/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/
```
 
---
 
### Pricing
 
<mark class="green">Tools Server</mark> | One-off cost | Recurring subscription p.a.
--------|---------------|:----------------------:
<p style="color:cyan">**Server hosting**</p> | &emsp; | *$120*
^ToolsServerCost
&emsp;
---
&emsp;
### Tasks & Further steps
&emsp;
- [ ] :hammer_and_wrench: [[Server Tools]]: Backup server %%done_del%% 🔁 every 6 months on the 1st Tuesday ⏳ 2024-10-01 📅 2024-10-01
- [x] Set-up landing page
- [ ] :desktop_computer: [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Gitea & Health checks %%done_del%% 🔁 every 4 months 📅 2024-10-18
- [x] :desktop_computer: [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Gitea & Health checks %%done_del%% 🔁 every 4 months 📅 2024-06-18 ✅ 2024-06-18
- [ ] :closed_lock_with_key: [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Bitwarden & Health checks %%done_del%% 🔁 every 4 months 📅 2024-12-17
- [x] :closed_lock_with_key: [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Bitwarden & Health checks %%done_del%% 🔁 every 4 months 📅 2024-08-17 ✅ 2024-08-17
&emsp;
&emsp;