Well, not so much afraid, but I have set up a naked ForgeJo server in France. It’s secure, but has no firewall blocks. It’s got a decently large git repo on board for bots to get lost in. I don’t have a lot of tolerance for bots on my personal or work sites. I care little enough about the info here that I’m happy to let the bots slurp it all up. Besides, it’s just a mirror of the Rust programming language repository from GitHub.
I’ll also use the ForgeJo instance for my own deeply-public info (probably reworks of data files). I don’t have a ton of personal use for git these days.
The server is a little KS-C from OVH. CAD20 per month for the next three months will hold me over until I can spin up another virtualisation server. As usual, the day after I buy in, a better one comes online for a comparable price. The next one I get has to have vRack access, though — I need it to properly handle the netblocks across multiple servers in clustered mode. One node in Canada, the other in France.
The reason for the French node is to get a sense of how threats differ between geographic locations. The “conventional wisdom” is that they don’t at all “because the Internet is global”, but I’ve already proven that wrong to my satisfaction. Some threats are shared, but others are significantly different. That latter category is the much larger one, too.
Google publishes JSON files with IP ranges for various services, including Google cloud. They don’t see fit to include all of the ranges, though. They’ve chosen to populate RDNS for at least one of those ranges I’ve found, so there is very little question that it’s an omission. With Google, it’s safe to assume that all such omissions are intentional. With the number of employees they have and their alleged intelligence, this situation should properly be utterly impossible as an accident. They’re just too smart, right?
The problem when you tell people they’re the smartest is that they wind up doing incredibly stupid things, thinking that it’s invisible to everyone else. It’s not invisible, Google. We see you, and we’re judging you. The judgement is that you’re trying to be sneaky for whatever reason.
I don’t purchase Google services. Google isn’t good enough. This is one more reason why.
First, I have to finish up some VOIP phone provisioning for work. Well, it’s not first — I actually did my own stuff first.
One of the family businesses has gotten a lot more serious, and it was time to set up some proper infrastructure for it. Some of the web stuff happened yesterday. Given that we have a proper payment gateway now, we need proper contact information to go on peoples’ credit card bills. I don’t think anyone really wants their personal phone number on that, so off to VOIP.ms to set up some infrastructure.
The nice thing about VOIP.ms is that you can get set up with less than a CAD5 commitment. I grabbed local and toll-free DIDs, set up a couple of SIP accounts and call forwards to mobile phones, a time condition to gate things to voice mail outside of office hours, a ring group to allow either of us to take the call, “press 1 to accept” on the call so we can let it go if it’s not a good time or we’re in a position where we can’t talk, and a few other bits of scaffolding.
I’m still on the fence about whether to handle things primarily through SIP soft phones or forwards to our mobile phones. The nice thing about the SIP soft phones is that it maintains the company CID info when you call out — mobile phones, not so much. The ability to turn off the SIP soft phone and still keep regular, personal phone calls going is another big deal. It’ll take some experimenting to see whether it’ll work in practice, though.
Moving more from Hetzner to OVH. Got one of the last two websites moved. DNS will be up next.
Revamped the dabX Canada site. A new theme (and the assorted mucking about making it suitable requires) is getting us most of the way there. A new payment gateway that is in place will reduce the reliance on Interac e-transfers, which will be a big hit with people buying from the site. The theme isn’t all the way perfect, but it’ll do for now. I might have to “go pro” to unlock some stuff to make it work all the way.
Truth be told, that site is really meant more for wholesale purchasers or people wanting more information on the product. The primary retail site will be Dongs’n‘Bongs or through resellers. That site will need a few days to come online, though.
I do not love mucking with front-end web stuff. Truth be told, I’m just not that good at it. Thankfully, I figure I’m about half-done and can move on to the fun site next.
Brought my personal cloud from Finland back to Canada, as I want to support companies that do business in Canada. OVH was an easy choice. A KS-LE-2 with 128GB of RAM and a pair of 450GB NVMe SSDs running PVE is the base for it all. It’s affordable, and it’s local.
A jumphost was first, as I’m not a fan of leaving ssh ports open on production servers. Next was a DNS resolver. Setting up and migrating a mailserver took an hour or so. I’m experimenting with RainLoop webmail, and liking it well enough so far as a database-free solution. A static webserver (running bare nginx, mostly for moving files around) was next, along with a happy little bot bomb. I hope the bot makers think to guard against buffer overflows and OOMs. Poor little cretins. A quick database server, then the webserver running this blog. Other stuff will move here soon.
Not bad for a couple of evenings’ work. I was able to shut down all but one of my VMs at Hetzner, and that one can go down once a couple of WordPress sites move over.
That being said, I’m freaking done with WP as a blog platform. It’s just isn’t any more, and the themes are actively hostile to it now. I don’t want a splash page, privacy policy, “about me”, contact form, appointment scheduler, and a dozen social media links. I just want to write my stuff and not worry about it.
I snagged a trial to CrowdSec Enterprise, but I’m not keeping it. I think I’ll use this as a baseline, using my own approaches, to see how things compare with CS at work.