docs: wip on off reinstall on off2

openfoodfacts · Sep 14, 2023 · 6876c4d · 6876c4d
1 parent 600d847
commit 6876c4d
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 7 deletions.
diff --git a/docs/how-to-fail2ban-ban-bots.md b/docs/how-to-fail2ban-ban-bots.md
@@ -27,14 +27,17 @@ systemctl restart fail2ban
 ## Using it
 
 ### See banned ips
+
 ```bash
 sudo fail2ban-client status nginx-botsearch
 ```
 
 ### Ban an ip
+
 ```bash
 sudo fail2ban-client set nginx-botsearch banip <IP>
 ```
+Note that it support ip ranges, like `123.456.789.1/24`
 
 ### Unban an ip
 ```bash

diff --git a/docs/reports/2023-07-off2-off-reinstall.md b/docs/reports/2023-07-off2-off-reinstall.md
@@ -451,6 +451,21 @@ I already add them to `/etc/sanoid/syncoid-args.conf` so sync will happen.
 
 And on ovh3 add them to `sanoid.conf` with `synced_data` template
 
+### Copying secrets
+
+We will put secrets in private data dir.
+
+```bash
+mkdir /zfs-hdd/off-pro/secrets
+
+# ftp secrets for producers
+rsync 10.0.0.1:/home/off/.netrc /zfs-hdd/off-pro/secrets
+
+# ensure secrets
+chown 1000:1000 -R /zfs-hdd/off-pro/secrets
+chmod go-rwx -R /zfs-hdd/off-pro/secrets
+```
+
 ### How much sugar data
 
 We will put html files of How much sugar in html_data volume as those file are kind of data (they are generated by a script), and the sto in private data
@@ -1712,21 +1727,21 @@ To test my installation I added this to `/etc/hosts` on my computer:
   - (alex) modify scripts
   - (stephane) test xml_to_json.pl vs xml_to_json.js
   - (alex) make a specific systemd task for producers imports
-  - **FIXME**: (alex) srv or srv2 /off-pro/codeonline-images-tmp, agena3000-data-tmp that is /off-pro/<producer>-{images,data}-tmp should be in cache
+  - **TODO** (alex) test scripts (up to the maximum) 
 
-- **FIXME** make a list of what we will rsync and what to backup from off1
-  - (done) list of what we will rsync
-  - (todo) what to backup from off1
+- **DONE** make a list of what we will rsync and what to backup from off1
+  - we already have backup of /srv and /srv2 on ovh3 !
 
-- **DOING** move madenearme*.htm and cestemballe*.html in ZFS and serve with nginx - or just serve them with nginx in container ?
+- **DONE** move madenearme*.htm and cestemballe*.html in ZFS and serve with nginx - or just serve them with nginx in container ?
   - (done) test map with reverse proxy
   - (done) make a specific systemd task for madenear.me generation
-    - **TODO** install and test it
+  - (done) install and test it
 
 - **DOING:** migrate ip tables rules
   - on reverse proxy
-  - (done) use fail2ban instead of iptables
+  - (done) use fail2ban instead of iptables - see [How to use fail2ban to ban bots](./how-to-fail2ban-ban-bots.md)
   - (done) we dont continue with the cron tail -n 10000 /srv/off/logs/access_log | grep search | /srv/off/logs/ban_abusive_ip.pl > /dev/null 2>&1 for now
+  - NOTE: in parallel we are setting up rate limiting with nginx which could then be combined with fail2ban on 409 errors (easy to add to auth error bans)
 
 - **FIXME:** review the VM limits configurations
 - **FIXME**  stress test VM on CPU and on Memory