wiki:TODO

Version 4 (modified by enno, 5 days ago) ( diff )

--

NOTE: This is a draft. Some og these points might vanish because of collision with other requirements

Trac Service

  • Move .htpasswd to /etc/trac/auth/ for clarity
  • Redirect Trac logs to /var/log/trac.log
  • Add log rotation for Trac logs
  • Separate Trac environments by project (--env-parent-dir)
  • Review and prune redundant --basic-auth entries

Gitolite and HTTP Git Access

  • Deduplicate authentication: choose between tracd or nginx auth
  • Move inline fastcgi_param settings to a named include file
  • Create Gitolite hooks (e.g., post-receive) for CI/CD triggers
  • Add Cuirass or manual webhook emulation

nginx Configuration

  • Add security headers (CSP, X-Frame-Options, etc.)
  • Hide nginx version (server_tokens off)
  • Add gzip and cache headers for static assets
  • Limit access to /.well-known/ to Certbot only
  • Monitor nginx logs via timed task

Certbot and Certificate Handling

  • Use a Shepherd timer to reload services after certificate renewal
  • Add a declarative hook for certbot renew
  • Log certificate renewal attempts and results

Shepherd Service Management

  • Modularize tracd, fcgiwrap, and adjust-permissions into reusable service types
  • Add auto-restart or health-check for tracd
  • Log permission adjustments explicitly to /var/log

WireGuard VPN

  • Move WireGuard private key to /etc/wireguard/ with strict permissions
  • Add runtime validation or fallback if key is missing
  • Periodically log WireGuard peer status and activity
  • Review and restrict firewall/IP rules for peer access

File System Layout (Btrfs)

  • Create a separate subvolume for /etc for snapshot management
  • Set up a btrfs scrub Shepherd timer
  • Plan for automatic snapshots via Shepherd or cron

Backups and Recovery

  • Define backup strategy (restic or similar)
  • Include /srv, /etc, /home/git, /etc/letsencrypt/ in backups
  • Automate backup using a scheduled service

Admin and Developer Usability

  • Install man-db, nss-certs, less, and similar tools
  • Optionally include Emacs or Neovim
  • Add MOTD or /etc/issue banner pointing to Trac/docs
  • Ensure system config is Git-tracked and reproducible

Monitoring and Alerts

  • Add fail2ban-like protections or firewall rate-limiting for SSH
  • Automate guix deploy dry-runs + alerts on failure
  • Add lightweight resource monitoring via periodic log summary

Back

Note: See TracWiki for help on using the wiki.