counterweight/lombra-early-notes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Thingies

Browse source
This commit is contained in:
counterweight 2024-01-06 23:49:47 +01:00
parent d0d635c6c3
commit 6704166dd4
2 changed files with 36 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

25
infra_tests/wireguard_and_nginx_test.md Normal file
View file

@ -0,0 +1,25 @@
# Wireguard and Nginx
The purpose of this test is to check if we can restrict access to a service provided through NGINX to only be accessible for clients connecting through a Wireguard VPN.
This would allow for having internal webpages that can only be reached by users that have access through the VPN. These provides some cool stuff:
- An additional layer of security on top of application/service credentials.
- Perfect protection against sniffing between our member devices and all our services.
- The possibility to fully unplug any user at will by simply removing his keys from the Wireguard VPN config.
## Test plan
- [ ] Get a VPS in 1984.hosting
- [ ] Install Ubuntu Server
- [ ] Install Wireguard
- https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-22-04
- [ ] Install client and check that VPN is working fine
- [ ] Deploy silly webpage with containerized Nginx and open access in the same VPS
- [ ] Validate that Nginx is reachable through clearnet without VPN
- [ ] Modify Nginx config to only listen to requests coming from the VPS localhost
- [ ] Validate that Nginx is not reachable through clearnet without VPN
- [ ] Validate that Nginx is reachable through clearnet without VPN
## Test logs
Drop notes here as we try stuff

11
keys_hardware.md Normal file
View file

@ -0,0 +1,11 @@
The deposit seedphrase and the GPG keys of each member are vital and should not be lost nor leaked.
Given their relevance, it makes sense to learn from Bitcoin's HW signer culture and provide each member with a dedicated devices for this purpose. It would provide the best of both worlds in both convenience and security.
So far, the best suited devices seem to be Trezor HW wallets. Apparently, a set of GPG keys can be derived from the entered seed. This way, the members would be able to backup both their deposit and their GPG identity just by securing their seedphrase, something all of them will already be very much familiar with.
Relevant links:
- https://trezor.io/learn/a/what-is-gpg
- https://github.com/romanz/trezor-agent/blob/master/doc/README-GPG.md
- https://github.com/romanz/trezor-agent