You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

719 lines
14 KiB

---
Tag: ["Server", "Security", "Privacy", "App", "Web", "Tools"]
Date: 2021-09-19
DocType: "Server"
Hierarchy: "NonRoot"
Performance:
CPU: 2Core
RAM: 4GB
Bandwidth: 4TB
Speed:
Characteristics:
OS: Ubuntu 20.04
Domiciliation: NL
IPv4: 41.216.181.11
Hostname: vm919620.desivps.com
Host: DesiVPS
SubDomain: tools
Disk:
Capa: 40GB
Type: SSD
UsedSpace: 31%
TimeStamp: 2021-11-13
CollapseMetaTable: true
---
Parent:: [[mfxm Website Scope|mfxm.fr]], [[Privacy & Security]], [[@IT & Computer|IT & Computer]]
---
^Top
 
```button
name Edit Server parameters
type command
action MetaEdit: Run MetaEdit
id EditMetaData
```
^button-ToolsServerEdit
```button
name Save
type command
action Save current file
id Save
```
^button-ToolsServerSave
 
# Tools server
 
```ad-abstract
title: Summary
collapse: open
Higher spec server to be set up with docker to host a variety of tools using containers.
```
 
```toc
style: number
```
 
---
 
### Server parameters
[[#^Top|TOP]]
 
```ad-quote
title: Dashboard access
[https://clients.desivps.com/clientarea.php](https://clients.desivps.com/clientarea.php)
```
 
```ad-quote
title: Address
The service will be located under **[tools.mfxm.fr](https://tools.mfxm.fr)** .
```
 
---
 
### Services
[[#^Top|TOP]]
 
```ad-abstract
title: Service description
The Tools server will host a variety of tools in docker containers. Several services will aim to service all others and will be installed outside of docker containers.
```
 
#### Installed server dependencies
[[#^Top|TOP]]
##### Docker
```ad-warning
title: [[Configuring Docker|docker]] for non root users
[[Configuring Docker|docker]] predominantly works for the root user. In order to let non-root users instruct Docker, users need to be added to the Docker group:
`sudo usermod -aG docker (username)`
Potentially, the Docker group needs to be defined:
`sudo groupadd docker`
```
Currently running Docker containers
```ad-bug
title: docker network
ID: 3a4d267e8155e3ff957e15c86360de1431d177b2131455707bea99038f179481
IP: 17.27.37.x
```
 
##### Caddy
[[#^Top|TOP]]
[[Configuring Caddy|caddy]] is the webserver of choice. Refer to the dedicated note for config and parametrisation.
```ad-bug
title: authentication token
LWERS4M7njDLiAJe5A6gkv9jRDabvnzBGyYk9vPr1F5dY0LMu47FSjB0v21BAE83rYTOksElzcYmioWA
```
 
##### Security
| Program name | Type | Description
|----------------|------|-------------
| **[[Configuring Fail2ban\|fail2ban]]** | Daemon | Blocks suspicious attempts to login
| **unattended-upgrades** | Program | Enables automatic updates of installed programs and OS
| **logwatch** | Daemon | Monitors activity on server and sends activity logs
 
##### fail2ban
[[#^Top|TOP]]
Classic [[Configuring Fail2ban|fail2ban]] installation with a dedicated configuration:
```ad-command
~~~bash
sudo nano /etc/fail2ban/jail.d/sshd.local
~~~
```
With the following parameters:
```ad-code
~~~yaml
[sshd]
enabled = true
port=2227
maxretry = 10
bantime = 1m
~~~
```
 
Please refer to the [[Configuring Fail2ban|conf guide]] for a detailed description.
 
##### Prometheus
[[Configuring Prometheus|Prometheus]] is a monitoring tool for all types of programs and is based on 'structured log files' i.e. the `JSON` format.
Please refer to the dedicated page to understand how [[Configuring Prometheus|Prometheus]] works. It needs to be paired with a visualisation software like Grafana to give its full potential.
 
**live since**: [[2022-03-17]]
 
##### Postfix
Mail Transfer Agent. Configuration is standard to allow for emails to be sent by programs / deamons / [[Nextcloud]] or others. Such a [[Configuring Postfix|system]] is required for every server to work correctly.
 
##### Certbot
[[#^Top|TOP]]
Provides SSL certification from **Let's Encrypt**. Installation dependencies are different from Nginx and explained [here](https://linuxhint.com/secure-apache-lets-encrypt-ubuntu/)
 
##### UFW
Firewall management, see [[Configuring UFW|here]] for more details.
 
##### Nodejs & Yarn
JavaScript & JS package manager.
 
---
 
#### Dedicated Server parameters
[[#^Top|TOP]]
| Service | Used value
|---------|:---------:
|   |  
| **Network: [[Configuring Docker\|docker]] dedicated** | 17.27.37.x
**IP: pw-manager** | 17.27.37.3
**IP: StandardNotes** | 172.22.0.1
**IP: Git** | 172.21.0.3
**IP: Git db** | 172.21.0.4
**IP: Wordle** | 17.27.37.5
**IP: FreshRSS** | 172.20.0.3
**IP: Bookmark** | 172.23.0.2
**IP: Link** | 172.21.0.4
  |  
**Port: SSH** | 2227
**Port: SN** | 2700
**Port: Git server** | 8087
**Port: Git SSH** | 2227
 
---
 
#### Password manager
[[#^Top|TOP]]
[Bitwarden](https://bitwarden.com) is a FOSS enabling self-hosting with a simple deployment through docker/docker-compose.
 
##### Service parameters (pw-manager)
```ad-info
title: service parameters
**IP**: 17.27.37.3:80
**DockerID**: 970b6f4b6150fa03be24287ae29a065c06ff7ed91a3402f8184c8a9aafa5e94d
**DockerName**: bitwarden_bitwarden_1
---
**Address**: https://pw-manager.mfxm.fr
```
 
##### User management (pw-manager)
```ad-info
title: Link
[Admin panel](https://pw-manager.mfxm.fr/admin/)
```
The admin panel needs to be set up with an authentication token and is accessed with the token. User & key management is done from within this panel.
 
---
 
#### Personal notes
[[#^Top|TOP]]
[StandardNotes](https://standardnotes.com) is a program enabling self-hosting with a server-side encryption.
 
##### Service parameters (notes)
```ad-info
title: service parameters
**IP**: 172.22.0.1:2700
**DockerNames**: api-gateway, auth-worker, syncing-server-js-worker, auth, syncing-server-js, db, cache
---
**Address**: https://st-notes.mfxm.fr
```
 
##### Configuration (notes)
2 files are used to configure the service:
```ad-path
~/standalone/.env
```
```ad-path
~/standalone/docker/auth.env
```
Docs can be found [here](https://docs.standardnotes.com/self-hosting/docker).
 
##### Pro Subscription
By selfhosting, access to a Pro subscription is granted. Just make sure each user is flagged as pro in the database:
```ad-command
~~~bash
docker-compose exec db sh -c 'MYSQL_PWD=$MYSQL_ROOT_PASSWORD mysql $MYSQL_DATABASE'
~~~
```
 
Once in the SQL dialogue daemon, rin:
```ad-command
~~~bash
INSERT INTO user_roles (role_uuid , user_uuid) VALUES ( ( select uuid from roles where name="PRO_USER" order by version desc limit 1 ) ,( select uuid from users where email="<EMAIL@ADDR>" ) ) ON DUPLICATE KEY UPDATE role_uuid = VALUES(`role_uuid`);
~~~
```
&emsp;
And finally:
```ad-command
~~~bash
insert into user_subscriptions set uuid = UUID() , plan_name="PRO_PLAN" , ends_at = 8640000000000000, created_at = 0 , updated_at = 0,user_uuid= (select uuid from users where email="<EMAIL@ADDR>") , subscription_id=1;
~~~
```
&emsp;
##### User management (notes)
No user management per se. .env file allows (or not) to restrict new registration.
&emsp;
###### dBeaver
[dBeaver](https://dbeaver.io) installed to view the database entries.
```ad-info
title: Tutorial for setting up conmection
[Tutorial](https://devimalplanet.com/how-to-dbeaver-remote-database-ssh)
```
Once in the tool, select the data to see and the 'data' pane to visualise the tables.
&emsp;
##### StandardNotes extensions
```ad-info
title: service parameters
**Location**: ~/standardnotes-extensions
**reverse-proxy**: ~/standardnotes-extensions/public
---
**Address**: https://tools.mfxm.fr/extensions/index.json
```
&emsp;
StandardNotes has developped extensions to customise both the skin and editor of the app. It is a paying feature normally but can be self-hosted and free.
One GitHub user is offering a [repo](https://github.com/iganeshk/standardnotes-extensions) for extensions that can be cloned and linked to the application.
* **Configuration file**
```ad-command
~~~bash
~/standardnotes-extensions/.env
~~~
```
* **Repository update**
```ad-command
~~~bash
sudo python3 build_repo.py
~~~
```
In the main folder.
&emsp;
---
&emsp;
#### Git repository
[[#^Top|TOP]]
[Gitea](https://gitea.io) is a FOSS enabling self-hosting a Git instance similar to GitHub.
&emsp;
##### Service parameters (git server)
```ad-info
title: service parameters
**IP**: 172.21.0.3
**Docker ID**: b6ec6f3843c3c9afe13215f73e0f8002475a145e33b0f0b555970b7f6f1ae38b
**Docker Name**: gitea
**Dedicated user**: git
---
**Address**: https://git.mfxm.fr
```
&emsp;
##### Service parameters (git db)
```ad-info
title: service parameters
**IP**: 172.21.0.2
**Docker ID**: a06fac3650f8f7dca29b022401a10f63d825283d762306501690e52ab9073d33
**Docker Name**: gitea_db_1
```
&emsp;
##### User management (git)
[[#^Top|TOP]]
User management has not been parametered to exclude new users but an admin panel exists to control and remove users under the admin login.
&emsp;
##### Doc library (git)
[Link](https://docs.gitea.io/en-us/command-line)
&emsp;
##### Utilities
```ad-path
title: Config file
~/gitea/gitea/gitea/conf/app.ini
```
&emsp;
```ad-code
title: email setup
Gitea can work on internal mail points through:
~~~bash
ENABLED = true
FROM = (user addresss)
USE_SENDMAIL = false
HOST = (hostname):25
~~~
```
&emsp;
---
&emsp;
#### News Aggregator
[[#^Top|TOP]]
&emsp;
[FreshRSS](https://freshrss.org) is a News aggregator enabling to read and manage RSS feeds.
It is open-source and self-hostable.
&emsp;
##### Service parameters (News)
```ad-info
title: service parameters
**IP**: 172.20.0.3:80
**DockerNames**: freshrss-app
**live since**: [[2022-03-18]]
---
**Address**: https://news.mfxm.fr
```
&emsp;
##### Configuration (News)
Docker compose set-up.
```ad-path
~/freshrss
```
Docs can be found [here](https://github.com/freshrss/freshrss).
In addition, FreshRSS offers the ability to install extensions relatively easily from within the Settings menu.
&emsp;
---
&emsp;
#### Wordle
[[#^Top|TOP]]
&emsp;
Wordle is a word game that has been bought by the New York Times.
&emsp;
##### Service parameters (Wordle)
```ad-info
title: service parameters
**IP**: 17.27.37.5:80
**DockerNames**: Wordle
**live since**: [[2022-02-11]]
---
**Address**: https://wordle.mfxm.fr
```
&emsp;
##### Configuration (Wordle)
Docker compose set-up.
```ad-path
~/wordle
```
Docs can be found [here](https://hub.docker.com/r/modem7/wordle).
&emsp;
---
&emsp;
#### Web Bookmarks
[[#^Top|TOP]]
&emsp;
Bookmark is a service to save and organise URLs.
&emsp;
##### Service parameters (Bookmark)
```ad-info
title: service parameters
**IP**: 172.23.0.2:9090
**DockerNames**: server & client
**live since**: [[2022-05-07]]
---
**Address**: https://bookmark.mfxm.fr
```
&emsp;
##### Configuration (Bookmark)
Docker compose set-up.
```ad-path
~/Linkding
```
Docs can be found [here](https://github.com/sissbruecker/linkding).
&emsp;
---
&emsp;
#### Link Shortener
[[#^Top|TOP]]
&emsp;
A self-hosted link shortener.
&emsp;
##### Service parameters (Link Shortener)
```ad-info
title: service parameters
**IP**: 172.21.0.4:80
**DockerNames**: pckd_frontend, pckd_server & pckd_db
**live since**: [[2022-05-06]]
---
**Address**: https://link.mfxm.fr
```
&emsp;
##### Configuration (Link Shortener)
Docker compose set-up.
```ad-path
~/Pckd
```
Docs can be found [here](https://github.com/Just-Moh-it/Pckd/issues/27).
&emsp;
---
&emsp;
#### Server-side Monitoring
[[#^Top|TOP]]
Refer to the [[Configuring Monit|monit section]] for further information on installation and configuration.
List of monitored services:
- System
- SSH
- [[Configuring Fail2ban|Fail2ban]]
- cron
- [[Configuring Postfix|Postfix]]
- docker
- Bitwarden
- Mininote
- Git
- Git db
&emsp;
[[Configuring Telegram bots|Telegram bots]] are also being implemented to receive logs from logwatch & [[Configuring Monit|monit]].
&emsp;
---
&emsp;
### Utilities
[[#^Top|TOP]]
&emsp;
#### Cert storage
```ad-path
/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/
```
&emsp;
---
&emsp;
### Pricing
[[#^Top|TOP]]
&emsp;
<mark class="green">Tools Server</mark> | One-off cost | Recurring subscription p.a.
--------|---------------|:----------------------:
<p style="color:cyan">**Server hosting**</p> | &emsp; | *$60*
^ToolsServerCost
&emsp;
---
&emsp;
### Tasks & Further steps
&emsp;
- [ ] :hammer_and_wrench: [[Server Tools]]: Backup server %%done_del%% 🔁 every 6 months on the 1st Tuesday ⏳ 2022-10-04 📅 2022-10-04
- [x] [[Server Tools]]: Backup server 🔁 every 6 months on the 1st Tuesday ⏳ 2022-04-12 📅 2022-04-12 ✅ 2022-04-11
- [x] [[Server Tools]]: Backup server 🔁 every 6 months on the 1st Tuesday 📅 2021-10-14 ✅ 2022-01-08
- [x] [[Server Tools]]: Backup server 🔁 every 6 months on the 1st Tuesday ✅ 2021-10-13
- [x] Set-up landing page
- [ ] :desktop_computer: [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Gitea & Health checks %%done_del%% 🔁 every 4 months 📅 2022-10-18
- [x] :desktop_computer: [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Gitea & Health checks 🔁 every 4 months 📅 2022-06-18 ✅ 2022-06-20
- [ ] :closed_lock_with_key: [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Bitwarden & Health checks %%done_del%% 🔁 every 4 months 📅 2022-12-18
- [x] :closed_lock_with_key: [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Bitwarden & Health checks %%done_del%% 🔁 every 4 months 📅 2022-08-18 ✅ 2022-08-17
- [x] [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Bitwarden & Health checks 🔁 every 4 months 📅 2022-04-18 ✅ 2022-04-16
- [ ] :hammer_and_wrench: [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Standard Notes & Health checks %%done_del%% 🔁 every 4 months 📅 2023-01-18
- [x] :hammer_and_wrench: [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Standard Notes & Health checks %%done_del%% 🔁 every 4 months 📅 2022-09-18 ✅ 2022-09-16
- [x] [[Selfhosting]], [[Server Tools|Tools]]: Upgrader Standard Notes & Health checks 🔁 every 4 months 📅 2022-05-18 ✅ 2022-05-15
[[#^Top|TOP]]
&emsp;
&emsp;