Cradicle Explorer
bootstrap.reseed.onion.im
/ README.md
README.md
 1  # reseed.onion.im
 2  
 3  ```
 4  $ ./make-droplet.sh
 5  ```
 6  
 7  ## Policies
 8  
 9  ### DNS
10  
11  - Two-factor authentication
12  - Hardware token
13  - Secure password
14  - Regular audits of Gandi access logs
15  
16  ### Digital Ocean
17  
18  #### Backups
19  
20  Backups written via a write-only key
21  
22  - `reseed.onion.im.crt` tarsnap backups checked monthly
23  - `reseed.onion.im.pem` tarsnap  backups checked monthly
24  - `lazygravy_at_mail.i2p.pem` tarsnap  backups checked monthly
25  
26  #### Account Security
27  
28  - Two-factor authentication
29  - Hardware token
30  - Secure password
31  - Regular audits of Digital Ocean access logs
32  
33  #### Networking
34  
35  - Firewall allow [::0]:443
36  - Firewall allow 0.0.0.0:443
37  - Firewall allow [my-ipv6]:22
38  
39  ### Operating System
40  
41  #### nginx
42  
43  - No server tokens
44  - HTTP2
45  - TLS1.2+
46  - HTTPS only
47  - Custom Diffie Hellman params
48  - A static page for http clients on /index.html
49  
50  #### Logging
51  
52  - Log rotate clears out nginx logs every two days
53  
54  #### Patching
55  
56  - Debian 12
57  - Patches are all handled via Debian unattended upgrades
58  
59  #### SSH
60  
61  - `root` denied
62  - ed25519 key only
63  - SSH key log in only
64  - Firewalled to operator's personal network
65  
66  #### Services
67  
68  - i2p-reseed ran as separate user
69  - Process constrained by systemd+apparmor
70  - Service only listened on localhost (i.e. all traffic proxies through nginx)
71  
72  ### Monitoring
73  
74  Monitored via [reseed-lambda](https://gitlab.com/reseed.onion.im/reseed-lambda).
75  
76  ### Copyright
77  
78  Copyright (C) 2025 Chris Barry <chris@barry.im>
79  
80  This program is free software: you can redistribute it and/or modify
81  it under the terms of the GNU Affero General Public License as published by
82  the Free Software Foundation, either version 3 of the License, or
83  (at your option) any later version.
84  
85  This program is distributed in the hope that it will be useful,
86  but WITHOUT ANY WARRANTY; without even the implied warranty of
87  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
88  GNU Affero General Public License for more details.
89  
90  You should have received a copy of the GNU Affero General Public License
91  along with this program.  If not, see <https://www.gnu.org/licenses/>.
92