Siliconvortex
This is my web page. There are many like it, but this one is mine.
Implemented features
- Hosting this page itself
- As secure as possible, courtesy of OpenBSD
- A pretty secure HTTP server (as measured by Observatory)
- acme-client to get LE certificates, and checked/updated daily
- forced http -> https renegotiation
- using relayd to terminate TLS; inject common security policy headers
- OCSP stapling, updated daily
- Restricting login to public ssh server via certificates only
- Available on tor too.
- Some code hosted on this server
- Rate-limiting on all public interfaces
Goals
- Restricting port access on all public interfaces (via ssh login, and pf rules)
- All setup codified, repeatable, and testable
- All code hosted on this server
- All data compressed/encrypted off-site for quick DR
- Single script DR to restore 100% functionality
- Control via VPN circuit only - public ssh is used only to open vpn tunnel ports - authpf
- Diagram of how it all works
- Line by line explanation - excellent docs
- CI/CD for changes
- host dns authority
- auto update dns registrar with ip - ifstated
- Prefer using OpenBSD utilities from base
- Use OpenBSD utilities from packages when necessary
- Cringe, and add another TODO item on this list if using something else
- "Free" BSD/MIT licensed software only
Stretch Goals
- implement kubelet to support using kubernetes as scheduler
- learn about mesos
- investigate clickable identity via web-browser/certs
Tried this? Mastodon