DONT USE THIS REPOSITORY NO MATTER WHAT due to security reasons (i.e. there is no firewall rules, not much services monitoring, no fail2ban rules and most important: it uses docker).
Playbook is fine only for my personal usage.
Obviously, A
record for your TLD + wildcard/subdomain configuration in
Cloudflare or your favourite DNS provider.
- Debian 10-11 (maybe works fine on other
apt
distros) - Large folder for docker data (Done by VPS via large disk)
- ssh authorization key for root user (Done by VPS or
ssh-copy-id root@mayurifag.ru
)
- Ansible
python3 -m pip install --user ansible
- (only MacOS) - passlib
python3 -m pip install --user passlib
(to use crypto module from ansible)
git clone https://github.com/Mayurifag/mayurifag.ru.git
cd mayurifag.ru
cp -rfp inventories/sample inventories/my-provision
# ... change my-provision ...
ansible-galaxy install -r requirements.yml
ansible-playbook -i inventories/my-provision/inventory provisioning.yml
Maybe first you'll need to ssh and exec:
apt-get --allow-releaseinfo-change update
- Remove old remote host identification
ssh-keygen -R mayurifag.ru ; ssh-keygen -R $(host mayurifag.ru | awk '/has address/ {print $4}')
- Generate new ssh key and add it to your inventory vars file
ssh-keygen -t rsa -b 4096 -C "Mayurifag@mayurifag.ru" -f ~/Desktop/mayurifag.ru
xclip -sel clip < ~/Desktop/mayurifag.ru.pub
vi inventories/my-provision/group_vars/sample.yml # add key here in section
keepassxc # Make new ssh agent entry
- Make new ssh config section. You need to change it after deploy.
vi ~/.ssh/config
# ~/.ssh/config
Host *
Protocol 2
ServerAliveInterval 120
ServerAliveCountMax 2
[...]
Host mayurifag-prod
HostName mayurifag.ru
User root # Change user and port
Port 22 # after deployment
The work is not in progress now, because I'm okay with current implementation, but still I think there are some things existing for further development if I'll need to deploy my services once again.
- Some strange things with Traefik config. If problem with "my-headers@file" -> return "my-headers@file"
- Log rotation for docker containers - or default settings after install
-
https://github.com/alexta69/metube -
Add cleaning up apt-get to get extra 1GB - Think how to rotate logs easily for docker (takes all the space in a year or more)
- Ssh configuration: change port and make the sshd configuration cheatsheet with Readme
- Comment out ports sections on containers and try to work with them
- Add Dozzle https://github.com/amir20/dozzle
-
Uptime Kuma - Blocky DNS
-
Add systemd services - do I need them or I'm fine - Migrate to dashboard which is easy maintainable: flame (with labels)
- Add Authentik / Remove baseauth
- Add Cloudflare companion tiredofit/traefik-cloudflare-companion:latest docker
-
Add Vikunja https://vikunja.io/docs/full-docker-example/ - Move this section to issues and kanban
- Add zswap
-
https://github.com/pglombardo/PasswordPusher - Migrate from mysql to postgres for nextcloud. Look other perfomance
boosters. cron at docker for nextcloud. bump versions
- https://github.com/ReinerNippes/nextcloud_on_docker
- https://help.nextcloud.com/t/howto-ubuntu-docker-nextcloud-talk-collabora/76430
- https://docs.nextcloud.com/server/18/admin_manual/configuration_server/caching_configuration.html
- https://docs.nextcloud.com/server/18/admin_manual/installation/server_tuning.html
- https://github.com/epoupon/lms
- Add automatic backup solution (duplicati?). Do I need anything more than /data/docker_data?
- Add ufw with rules + make docker respect the rules
- Add pastebin
-
Make traefik to write logs to file + logrotate them - Suggest if I need more fail2ban jail rules
- Add motd.txt to server
- About lazydocker
- Aliases
-
https://github.com/EmbarkStudios/wg-ui - Navidrome
- Doku https://github.com/tborychowski/self-hosted-cookbook/blob/master/apps/docker/doku.md
-
https://github.com/tborychowski/self-hosted-cookbook/blob/master/apps/other/firefox.md - FileRun
- Simple proxy server in docker
- Makefiles + info to launch only specified tags
- Ssh hardening:
- If I change port on installation -- what I have to change then?
- Check if current config is okay without changes done already by playbook
- PubkeyAuthentication yes
- AllowUsers root, admin_username
- AllowTcpForwarding no
- PermitEmptyPasswords no
- X11Forwarding no
- fail2ban already installed but needs harder configuration
- Add zsh
- Make CI working
- Add instructions for requirements and deployment
- Try to make deploy from zero to hero. Add instructions if needed.
- Add lightweight filesharing nextcloud alternative (FileRun?)
- Add web analytics (matomo?)
-
Add rocket.chat -
Add url shortener - Add wiki
- Add Git (gitea/gitlab/else)
- Add ci/cd runner for selfhosted git
- Add
bitwardenVaultwarden - Check security https://github.com/docker/docker-bench-security https://github.com/quay/clair
- Make connection to docker through proxy fluencelabs/docker-socket-proxy
- Migrate from dante to something docker based
- Migrate from shadowsocks-rust + v2ray to shadowsocks2-go + x-ray / maybe docker
- https://hub.docker.com/r/linuxserver/librespeed
There is branch old-implementation-with-mailserver
without docker. I decided
to re-write roles from scratch with all XP I got so far and include docker
containers for better maintainability. But still there are some ideas I want to
migrate into newer implementation.