From 6704166dd470b81ccc6bf97d3f189b4c06865117 Mon Sep 17 00:00:00 2001 From: counterweight Date: Sat, 6 Jan 2024 23:49:47 +0100 Subject: [PATCH] Thingies --- infra_tests/wireguard_and_nginx_test.md | 25 +++++++++++++++++++++++++ keys_hardware.md | 11 +++++++++++ 2 files changed, 36 insertions(+) create mode 100644 infra_tests/wireguard_and_nginx_test.md create mode 100644 keys_hardware.md diff --git a/infra_tests/wireguard_and_nginx_test.md b/infra_tests/wireguard_and_nginx_test.md new file mode 100644 index 0000000..4803686 --- /dev/null +++ b/infra_tests/wireguard_and_nginx_test.md @@ -0,0 +1,25 @@ +# Wireguard and Nginx + +The purpose of this test is to check if we can restrict access to a service provided through NGINX to only be accessible for clients connecting through a Wireguard VPN. + +This would allow for having internal webpages that can only be reached by users that have access through the VPN. These provides some cool stuff: +- An additional layer of security on top of application/service credentials. +- Perfect protection against sniffing between our member devices and all our services. +- The possibility to fully unplug any user at will by simply removing his keys from the Wireguard VPN config. + +## Test plan + +- [ ] Get a VPS in 1984.hosting +- [ ] Install Ubuntu Server +- [ ] Install Wireguard + - https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-22-04 +- [ ] Install client and check that VPN is working fine +- [ ] Deploy silly webpage with containerized Nginx and open access in the same VPS +- [ ] Validate that Nginx is reachable through clearnet without VPN +- [ ] Modify Nginx config to only listen to requests coming from the VPS localhost +- [ ] Validate that Nginx is not reachable through clearnet without VPN +- [ ] Validate that Nginx is reachable through clearnet without VPN + +## Test logs + +Drop notes here as we try stuff diff --git a/keys_hardware.md b/keys_hardware.md new file mode 100644 index 0000000..a209bf2 --- /dev/null +++ b/keys_hardware.md @@ -0,0 +1,11 @@ + +The deposit seedphrase and the GPG keys of each member are vital and should not be lost nor leaked. + +Given their relevance, it makes sense to learn from Bitcoin's HW signer culture and provide each member with a dedicated devices for this purpose. It would provide the best of both worlds in both convenience and security. + +So far, the best suited devices seem to be Trezor HW wallets. Apparently, a set of GPG keys can be derived from the entered seed. This way, the members would be able to backup both their deposit and their GPG identity just by securing their seedphrase, something all of them will already be very much familiar with. + +Relevant links: +- https://trezor.io/learn/a/what-is-gpg +- https://github.com/romanz/trezor-agent/blob/master/doc/README-GPG.md +- https://github.com/romanz/trezor-agent \ No newline at end of file