instance-setup-stuff/README.md

# The Playground

---

## Blueprint usage

**_take a deep breath, clear your mind, and open Spotify_**

---

### Pre-requisite #0: A fresh start

#### Fill `*-env` for all (fml)

```bash
########################
# instance-env

export BACKUP_BUCKET='b2:the-bucket-name-goes-here' # Backblaze
export NOTIF_URL='https://ntfy.sh/the-topic-name-goes-here' # ntfy
export BASE_DOMAIN='knravish.me'

########################
# Some common stuff

export BUCKET_PATH="${BACKUP_BUCKET}/path/to/backup/in/object/storage"

export VOLUME_PATH="${HOME}/${USER}-data" # or wherever your service's data is

export PORT=<whatever> # your service's webserver

# PUID and PGID for running containers as non-root
PUID=$(id -u "$USER")
export PUID
PGID=$(id -g "$USER")
export PGID

########################
# Application specific stuff
# Just look it up bruh I can't be arsed

########################
# ok but WireGuard is a PITA
export UDP_PORT=<whatever>
export GUI_PORT=<whatever>

# shellcheck disable=SC2016
export PASSWORD_HASH=<whatever>
export WG_HOST="vpn.${BASE_DOMAIN}"

# hacky?
WG_DEVICE=$(ip route get 8.8.8.8 2>&1 | awk '{ printf "%s",$5;}')
export WG_DEVICE
```

### Then

- run `file_transfers.ps1` (assuming Windows host for now)
- update DNS records as needed

### Pre-requisite #1: Ports in VPC/VCN firewall rules

- allow all ICMP traffic for pinging (already open?)
- list of active listeners
  - `*` - equivalent to `0.0.0.0, [::]`
  - `%lo` - loopback
  - `enp0s6` - name of the Internet-facing gateway interface of the host
  - `Forwarded` - if port is open in the host's firewall (for VPS? if open in virtual network security rules)

| Address         | Port  | Protocol | Desc.                                      | Forwarded? |
| --------------- | ----- | -------- | ------------------------------------------ | ---------- |
|                 |       | ICMP     | All ICMP traffic                           | O          |
| \*              | 22    | TCP      | SSH                                        | O          |
| 127.0.0.53%lo   | 53    | TCP, UDP | systemd-resolved (stub? vestigial?)        | X          |
| 10.0.0.3%enp0s6 | 68    | UDP      | DHCP                                       | X          |
| \*              | 80    | TCP      | Nginx (HTTP)                               | O          |
| \*              | 443   | TCP      | Nginx (HTTPS)                              | O          |
| 127.0.0.1       | 2368  | TCP      | Ghost blog                                 | X          |
| 127.0.0.1       | 3456  | TCP      | Vikunja                                    | X          |
| 127.0.0.1       | 5006  | TCP      | Actual Budget                              | X          |
| 127.0.0.1       | 5100  | TCP      | Password Pusher (pwpush)                   | X          |
| 127.0.0.1       | 8080  | TCP      | Shlink                                     | X          |
| 127.0.0.1       | 9001  | TCP      | Spotify Manager (that's us!)               | X          |
| 127.0.0.1       | 8081  | TCP      | Stirling-PDF                               | X          |
| 127.0.0.1       | 9091  | TCP      | Authelia                                   | X          |
| 127.0.0.1       | 8384  | TCP      | Syncthing (web GUI)                        | X          |
| \*              | 21027 | UDP      | Syncthing (discovery broadcasting)         | O          |
| \*              | 22000 | TCP, UDP | Syncthing (sync protocol; UDP is for QUIC) | O          |
| \*              | 25565 | TCP      | Minecraft server - Java edition, 1.20.4    | O          |
| \*              | 51820 | UDP      | WireGuard (VPN tunnel)                     | O          |
| 127.0.0.1       | 51821 | TCP      | WireGuard (web GUI)                        | X          |
| 127.0.0.1       | 5230  | TCP      | Usememos                                   | X          |
| 127.0.0.1       | 3000  | TCP      | Homepage                                   | X          |
| \*              | 30000 | TCP      | Foundry VTT                                | X          |
| 127.0.0.1       | 3001  | TCP      | Gitea                                      | X          |

### Pre-requisite #2: Config the master script

- start with `instance-setup`
  - reevaluate sudo perms... have given too much stuff too much permissions :\)
  - ensure ufw is disabled
  - (Oracle VPS only) open iptables to all (`-I INPUT -j ACCEPT` or something)
  - maybe use new pro token
  - check email address too

---

## Applications

### Authelia

### Actual

- PWA on mobile!

### Ghost

- requires checks for ghost, cli, and node version updates

### Minecraft

- version-locked 1.20.4
- backup of everything, including JAR file

### Password Pusher

### Shlink

- managed on [shlink.io webapp](https://app.shlink.io)
- API key for GUI management, else run command in container

### Spotify Manager

- yippee!
- be conservative with dep. updates

### Stirling-PDF

- guest creds are `'guest':'temppass3'`

### Wireguard/wg-easy

- access VPS services on its `10.0.0.3/24` address

## Tooling and config

### bash

- place new aliases in `/etc/skel` file as well
- do not place non-sensitive stuff in `/etc/environment`
- `cp -pr` for recursive copying and without changing mode or access time

### nginx

- current practice - place configs in `conf.d`, change extension to not end in `.conf` for disabled sites
  - old practice - `sites-enabled` soft links to `sites-available` files as needed
- serving some temporary files to share from /var/www/tmpfiles
- the build with added modules is fked up, ignore

### rclone

- config is for Backblaze B2, 10GB total
- always log!!! and notify!!!

### systemd

- `WantedBy` should be
  - `default.target` for user services
  - `multi-user.target` for system services

### cron

- cron doesn't get the same env as a normal login/shell, so give it a minimal set of vars
- set `USER` at the start of every user crontab
- set `XDG_RUNTIME_DIR` and `DBUS_SESSION_BUS_ADDRESS` for users that run systemd user services
- stagger cronjobs to avoid resource contention