| | 1 | NOTE: This is a draft. Sone points will vanish because of collision with other requirements |
| | 2 | |
| | 3 | == Trac Service == |
| | 4 | • Move .htpasswd to /etc/trac/auth/ for clarity |
| | 5 | • Redirect Trac logs to /var/log/trac.log |
| | 6 | • Add log rotation for Trac logs |
| | 7 | • Separate Trac environments by project (--env-parent-dir) |
| | 8 | • Review and prune redundant --basic-auth entries |
| | 9 | |
| | 10 | == Gitolite and HTTP Git Access == |
| | 11 | • Deduplicate authentication: choose between tracd or nginx auth |
| | 12 | • Move inline fastcgi_param settings to a named include file |
| | 13 | • Create Gitolite hooks (e.g., post-receive) for CI/CD triggers |
| | 14 | • Add Cuirass or manual webhook emulation |
| | 15 | |
| | 16 | == nginx Configuration == |
| | 17 | • Add security headers (CSP, X-Frame-Options, etc.) |
| | 18 | • Hide nginx version (server_tokens off) |
| | 19 | • Add gzip and cache headers for static assets |
| | 20 | • Limit access to /.well-known/ to Certbot only |
| | 21 | • Monitor nginx logs via timed task |
| | 22 | |
| | 23 | == Certbot and Certificate Handling == |
| | 24 | • Use a Shepherd timer to reload services after certificate renewal |
| | 25 | • Add a declarative hook for certbot renew |
| | 26 | • Log certificate renewal attempts and results |
| | 27 | |
| | 28 | == Shepherd Service Management == |
| | 29 | • Modularize tracd, fcgiwrap, and adjust-permissions into reusable service types |
| | 30 | • Add auto-restart or health-check for tracd |
| | 31 | • Log permission adjustments explicitly to /var/log |
| | 32 | |
| | 33 | == WireGuard VPN == |
| | 34 | • Move WireGuard private key to /etc/wireguard/ with strict permissions |
| | 35 | • Add runtime validation or fallback if key is missing |
| | 36 | • Periodically log WireGuard peer status and activity |
| | 37 | • Review and restrict firewall/IP rules for peer access |
| | 38 | |
| | 39 | == File System Layout (Btrfs) == |
| | 40 | • Create a separate subvolume for /etc for snapshot management |
| | 41 | • Set up a btrfs scrub Shepherd timer |
| | 42 | • Plan for automatic snapshots via Shepherd or cron |
| | 43 | |
| | 44 | == Backups and Recovery == |
| | 45 | • Define backup strategy (restic or similar) |
| | 46 | • Include /srv, /etc, /home/git, /etc/letsencrypt/ in backups |
| | 47 | • Automate backup using a scheduled service |
| | 48 | |
| | 49 | == Admin and Developer Usability == |
| | 50 | • Install man-db, nss-certs, less, and similar tools |
| | 51 | • Optionally include Emacs or Neovim |
| | 52 | • Add MOTD or /etc/issue banner pointing to Trac/docs |
| | 53 | • Ensure system config is Git-tracked and reproducible |
| | 54 | |
| | 55 | == Monitoring and Alerts == |
| | 56 | • Add fail2ban-like protections or firewall rate-limiting for SSH |
| | 57 | • Automate guix deploy dry-runs + alerts on failure |
| | 58 | • Add lightweight resource monitoring via periodic log summary |
