13 KiB
Tag | Date | DocType | Hierarchy | Performance | Characteristics | Disk | CollapseMetaTable | ||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
2021-09-19 | Server | NonRoot |
|
|
|
yes |
Parent:: mfxm Website Scope, Privacy & Security, @IT & Computer
^Top
name Edit Server parameters
type command
action MetaEdit: Run MetaEdit
id EditMetaData
^button-ToolsServerEdit
name Save
type command
action Save current file
id Save
^button-ToolsServerSave
Tools server
title: Summary
collapse: open
Higher spec server to be set up with docker to host a variety of tools using containers.
style: number
Server parameters
title: Dashboard access
[https://clients.desivps.com/clientarea.php](https://clients.desivps.com/clientarea.php)
title: Address
The service will be located under **[tools.mfxm.fr](https://tools.mfxm.fr)** .
Services
title: Service description
The Tools server will host a variety of tools in docker containers. Several services will aim to service all others and will be installed outside of docker containers.
Installed server dependencies
Docker
title: [[Configuring Docker|docker]] for non root users
[[Configuring Docker|docker]] predominantly works for the root user. In order to let non-root users instruct Docker, users need to be added to the Docker group:
`sudo usermod -aG docker (username)`
Potentially, the Docker group needs to be defined:
`sudo groupadd docker`
Currently running Docker containers
title: docker network
ID: 3a4d267e8155e3ff957e15c86360de1431d177b2131455707bea99038f179481
IP: 17.27.37.x
Caddy
#^Top Configuring Caddy is the webserver of choice. Refer to the dedicated note for config and parametrisation.
title: authentication token
LWERS4M7njDLiAJe5A6gkv9jRDabvnzBGyYk9vPr1F5dY0LMu47FSjB0v21BAE83rYTOksElzcYmioWA
Security
Program name | Type | Description |
---|---|---|
Configuring Fail2ban | Daemon | Blocks suspicious attempts to login |
unattended-upgrades | Program | Enables automatic updates of installed programs and OS |
logwatch | Daemon | Monitors activity on server and sends activity logs |
fail2ban
#^Top Classic Configuring Fail2ban installation with a dedicated configuration:
~~~bash
sudo nano /etc/fail2ban/jail.d/sshd.local
~~~
With the following parameters:
~~~yaml
[sshd]
enabled = true
port=2227
maxretry = 10
bantime = 1m
~~~
Please refer to the Configuring Fail2ban for a detailed description.
Prometheus
Configuring Prometheus is a monitoring tool for all types of programs and is based on 'structured log files' i.e. the JSON
format.
Please refer to the dedicated page to understand how Configuring Prometheus works. It needs to be paired with a visualisation software like Grafana to give its full potential.
live since: 2022-03-17
Postfix
Mail Transfer Agent. Configuration is standard to allow for emails to be sent by programs / deamons / Nextcloud or others. Such a Configuring Postfix is required for every server to work correctly.
Certbot
#^Top Provides SSL certification from Let's Encrypt. Installation dependencies are different from Nginx and explained here
UFW
Firewall management, see Configuring UFW for more details.
Nodejs & Yarn
JavaScript & JS package manager.
Dedicated Server parameters
Service | Used value |
---|---|
Network: Configuring Docker dedicated | 17.27.37.x |
IP: pw-manager | 17.27.37.3 |
IP: StandardNotes | 172.22.0.1 |
IP: Git | 172.21.0.3 |
IP: Git db | 172.21.0.4 |
IP: Wordle | 17.27.37.5 |
IP: FreshRSS | 172.20.0.3 |
IP: Pastebin | 172.18.0.2 |
Port: SSH | 2227 |
Port: SN | 2700 |
Port: Git server | 8087 |
Port: Git SSH | 2227 |
Password manager
#^Top Bitwarden is a FOSS enabling self-hosting with a simple deployment through docker/docker-compose.
Service parameters (pw-manager)
title: service parameters
**IP**: 17.27.37.3:80
**DockerID**: 970b6f4b6150fa03be24287ae29a065c06ff7ed91a3402f8184c8a9aafa5e94d
**DockerName**: bitwarden_bitwarden_1
---
**Address**: https://pw-manager.mfxm.fr
User management (pw-manager)
title: Link
[Admin panel](https://pw-manager.mfxm.fr/admin/)
The admin panel needs to be set up with an authentication token and is accessed with the token. User & key management is done from within this panel.
Personal notes
#^Top StandardNotes is a program enabling self-hosting with a server-side encryption.
Service parameters (notes)
title: service parameters
**IP**: 172.22.0.1:2700
**DockerNames**: api-gateway, auth-worker, syncing-server-js-worker, auth, syncing-server-js, db, cache
---
**Address**: https://st-notes.mfxm.fr
Configuration (notes)
2 files are used to configure the service:
~/standalone/.env
~/standalone/docker/auth.env
Docs can be found here.
Pro Subscription
By selfhosting, access to a Pro subscription is granted. Just make sure each user is flagged as pro in the database:
~~~bash
docker-compose exec db sh -c 'MYSQL_PWD=$MYSQL_ROOT_PASSWORD mysql $MYSQL_DATABASE'
~~~
Once in the SQL dialogue daemon, rin:
~~~bash
INSERT INTO user_roles (role_uuid , user_uuid) VALUES ( ( select uuid from roles where name="PRO_USER" order by version desc limit 1 ) ,( select uuid from users where email="<EMAIL@ADDR>" ) ) ON DUPLICATE KEY UPDATE role_uuid = VALUES(`role_uuid`);
~~~
And finally:
~~~bash
insert into user_subscriptions set uuid = UUID() , plan_name="PRO_PLAN" , ends_at = 8640000000000000, created_at = 0 , updated_at = 0,user_uuid= (select uuid from users where email="<EMAIL@ADDR>") , subscription_id=1;
~~~
User management (notes)
No user management per se. .env file allows (or not) to restrict new registration.
dBeaver
dBeaver installed to view the database entries.
title: Tutorial for setting up conmection
[Tutorial](https://devimalplanet.com/how-to-dbeaver-remote-database-ssh)
Once in the tool, select the data to see and the 'data' pane to visualise the tables.
StandardNotes extensions
title: service parameters
**Location**: ~/standardnotes-extensions
**reverse-proxy**: ~/standardnotes-extensions/public
---
**Address**: https://tools.mfxm.fr/extensions/index.json
StandardNotes has developped extensions to customise both the skin and editor of the app. It is a paying feature normally but can be self-hosted and free. One GitHub user is offering a repo for extensions that can be cloned and linked to the application.
- Configuration file
~~~bash
~/standardnotes-extensions/.env
~~~
- Repository update
~~~bash
sudo python3 build_repo.py
~~~
In the main folder.
Git repository
#^Top Gitea is a FOSS enabling self-hosting a Git instance similar to GitHub.
Service parameters (git server)
title: service parameters
**IP**: 172.21.0.3
**Docker ID**: b6ec6f3843c3c9afe13215f73e0f8002475a145e33b0f0b555970b7f6f1ae38b
**Docker Name**: gitea
**Dedicated user**: git
---
**Address**: https://git.mfxm.fr
Service parameters (git db)
title: service parameters
**IP**: 172.21.0.2
**Docker ID**: a06fac3650f8f7dca29b022401a10f63d825283d762306501690e52ab9073d33
**Docker Name**: gitea_db_1
User management (git)
#^Top User management has not been parametered to exclude new users but an admin panel exists to control and remove users under the admin login.
Doc library (git)
Utilities
title: Config file
~/gitea/gitea/gitea/conf/app.ini
title: email setup
Gitea can work on internal mail points through:
~~~bash
ENABLED = true
FROM = (user addresss)
USE_SENDMAIL = false
HOST = (hostname):25
~~~
News Aggregator
FreshRSS is a News aggregator enabling to read and manage RSS feeds. It is open-source and self-hostable.
Service parameters (News)
title: service parameters
**IP**: 172.20.0.3:80
**DockerNames**: freshrss-app
**live since**: [[2022-03-18]]
---
**Address**: https://news.mfxm.fr
Configuration (News)
Docker compose set-up.
~/freshrss
Docs can be found here. In addition, FreshRSS offers the ability to install extensions relatively easily from within the Settings menu.
Wordle
Wordle is a word game that has been bought by the New York Times.
Service parameters (Wordle)
title: service parameters
**IP**: 17.27.37.5:80
**DockerNames**: Wordle
**live since**: [[2022-02-11]]
---
**Address**: https://wordle.mfxm.fr
Configuration (Wordle)
Docker compose set-up.
~/wordle
Docs can be found here.
Pastebin
Pastebin is a service to share code, text and files quickly among users or publicly.
Service parameters (Pastebin)
title: service parameters
**IP**: 172.18.0.2:3001
**DockerNames**: server & client
**live since**: [[2022-04-15]]
---
**Address**: https://pastebin.mfxm.fr
Configuration (Pastebin)
Docker compose set-up.
~/Drift
Docs can be found here.
Server-side Monitoring
#^Top Refer to the Configuring Monit for further information on installation and configuration.
List of monitored services:
- System
- SSH
- Configuring Fail2ban
- cron
- Configuring Postfix
- docker
- Bitwarden
- Mininote
- Git
- Git db
Configuring Telegram bots are also being implemented to receive logs from logwatch & Configuring Monit.
Utilities
Cert storage
/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/
Pricing
Tools Server | One-off cost | Recurring subscription p.a. |
---|
**Server hosting**
| | *$60* ^ToolsServerCost
Tasks & Further steps
-
Server Tools: Backup server 🔁 every 6 months on the 1st Tuesday ⏳ 2022-10-04 📅 2022-10-04
-
Server Tools: Backup server 🔁 every 6 months on the 1st Tuesday ⏳ 2022-04-12 📅 2022-04-12 ✅ 2022-04-11
-
Server Tools: Backup server 🔁 every 6 months on the 1st Tuesday 📅 2021-10-14 ✅ 2022-01-08
-
Server Tools: Backup server 🔁 every 6 months on the 1st Tuesday ✅ 2021-10-13
-
Set-up landing page
-
Selfhosting, Server Tools: Upgrader Gitea & Health checks 🔁 every 4 months 📅 2022-06-18
-
Selfhosting, Server Tools: Upgrader Bitwarden & Health checks 🔁 every 4 months 📅 2022-08-18
-
Selfhosting, Server Tools: Upgrader Bitwarden & Health checks 🔁 every 4 months 📅 2022-04-18 ✅ 2022-04-16
-
Selfhosting, Server Tools: Upgrader Standard Notes & Health checks 🔁 every 4 months 📅 2022-05-18