== Trac Service == • Move .htpasswd to /etc/trac/auth/ for clarity • Redirect Trac logs to /var/log/trac.log • Add log rotation for Trac logs • Separate Trac environments by project (--env-parent-dir) • Review and prune redundant --basic-auth entries • Add syntax highlighting for Scheme code using pygments plugin == Gitolite and HTTP Git Access == • Deduplicate authentication: choose between tracd or nginx auth • Create Gitolite hooks (e.g., post-receive) for CI/CD triggers • Add Cuirass or manual webhook emulation == nginx Configuration == • Add security headers (CSP, X-Frame-Options, etc.) • Hide nginx version (server_tokens off) • Add gzip and cache headers for static assets • Limit access to /.well-known/ to Certbot only • Monitor nginx logs via timed task == Certbot and Certificate Handling == • Use a Shepherd timer to reload services after certificate renewal • Add a declarative hook for certbot renew • Log certificate renewal attempts and results == Shepherd Service Management == • Modularize tracd, fcgiwrap, and adjust-permissions into reusable service types • Add auto-restart or health-check for tracd • Log permission adjustments explicitly to /var/log == !WireGuard VPN == • Move !WireGuard private key to /etc/wireguard/ with strict permissions • Add runtime validation or fallback if key is missing • Periodically log !WireGuard peer status and activity • Review and restrict firewall/IP rules for peer access == File System Layout (Btrfs) == • Create a separate subvolume for /etc for snapshot management • Set up a btrfs scrub Shepherd timer • Plan for automatic snapshots via Shepherd or cron == Backups and Recovery == • Define backup strategy (restic or similar) • Include /srv, /etc, /home/git, /etc/letsencrypt/ in backups • Automate backup using a scheduled service == Admin and Developer Usability == • Install man-db, nss-certs, less, and similar tools • Add MOTD or /etc/issue banner pointing to Trac/docs • Ensure system config is Git-tracked and reproducible == Monitoring and Alerts == • Add fail2ban-like protections or firewall rate-limiting for SSH • Automate guix deploy dry-runs + alerts on failure • Add lightweight resource monitoring via periodic log summary [WikiStart Back]