Update website for new infrastructure

config.toml

@@ -38,11 +38,8 @@ logo_text = "Avery Winters"
 main_menu = [
     { name = "about", url = "/about/" },
     { name = "mastodon", url = "https://mastodon.averywinters.org/@avery", external = true },
-    { name = "matrix", url = "https://matrix.to/#/@avery:averywinters.org", external = true },
-    { name = "git forge", url = "https://git.averywinters.org/", external = true },
     { name = "codeberg", url = "https://codeberg.org/averywinters", external = true },
     { name = "github", url = "https://github.com/averywinters", external = true },
-    { name = "pgp", url = "/pgp/" },
 ]
 menu_more = "show more"
 read_more = "read more"

content/2023-09-14-security-infrastructure.md

@@ -5,13 +5,13 @@ An overview of all the infrastructure and services I host, and the security \
 mindset behind it. \
 """
 date = 2023-09-14
-updated = 2023-10-04
+updated = 2024-01-25
 [taxonomies]
 tags = [ "selfhosting", "nix", "privacy", "security", "networks" ]
 +++
 
-**Note**: This post was updated to reflect a change in the number of servers
-I use to host everything.
+**Note: This post is out of date, but I am leaving it here for its
+historical value.**
 
 Everything on this domain is [self-hosted][0], from DNS to email and all web
 services. I currently manage two servers:
@@ -56,7 +56,7 @@ being encrypted and authenticated isn't actually important for my purposes. This
 could just as easily use another tunneling protocol like [GRE][12], but I find
 WireGuard trivial to setup even if it adds some keys to manage.
 
-[0]: https://git.averywinters.org/avery/home
+[0]: https://codeberg.org/averywinters/home
 [1]: https://en.wikipedia.org/wiki/TSIG
 [2]: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
 [3]: https://letsencrypt.org

content/2023-10-04-wireguard-public-ip.md

@@ -4,10 +4,14 @@ description = """\
 A technique to assign static public IP addresses to a remote machine using WireGuard. \
 """
 date = 2023-10-04
+updated = 2024-01-15
 [taxonomies]
 tags = [ "selfhosting", "nix", "privacy", "security", "networks" ]
 +++
 
+**NOTE: My setup has drifted from this post, but I still find historical value in this
+description so I am leaving the post up.**
+
 # Motivation
 Let's say you have a server somewhere, it has access to the internet, but maybe it:
 1. is behind a [NAT][0] (or even a [CGNAT][1]); or
@@ -164,4 +168,4 @@ new IP addresses as well! The code for my full server configs can be found [here
 [4]: https://en.wikipedia.org/wiki/Proxy_ARP
 [5]: https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
 [6]: https://nixos.org
-[7]: https://git.averywinters.org/avery/home
+[7]: https://codeberg.org/averywinters/home

content/2024-01-15-tls-mitm-protection.md

@@ -0,0 +1,31 @@
++++
+title = "Protecting TLS services from MITM attacks"
+description = """\
+A public service announcement about how to use CAA records to protect services
+you host against MITM attacks. \
+"""
+date = 2024-01-15
+[taxonomies]
+tags = [ "selfhosting", "privacy", "security", "networks" ]
++++
+
+A few months ago, a Russian XMPP server had their TLS connections with users
+successfully [attacked via a man-in-the-middle][0] (in particular, their ISP and
+government appeared to have coluded to attack their routing and issue new
+certificates to a server in the middle). These kinds of attacks can be
+prevented even if your ISP or government are misbehaving by leveraging DNSSEC
+and CAA records (as well as vigilantly monitoring certificate transparency logs
+for your domain).
+
+If you have a domain you host TLS services on, you should setup restrictive CAA
+records (if you use Let’s Encrypt, that means tied to an `accountid` and/or
+`dns01` validation method), and you should setup DNSSEC. Without these, anyone
+who controls the routing of your IP address (your ISP, hosting provider,
+misbehaving BGP operators, etc.) can be compelled to obtain a certificate for
+your domain.
+
+There are also upcoming technologies like DANE (TLSA records) that allow pinning
+of expected public keys for a domain in DNS, so that browsers can cross-check
+the expected certificates with what they received in the chain from the server.
+
+[0]: https://notes.valdikss.org.ru/jabber.ru-mitm/

content/pages/pgp.md

@@ -1,21 +0,0 @@
-+++
-title = "PGP"
-path = "pgp"
-date = 2023-11-28
-+++
-
-If you need to reach me privately, please use [Matrix][0]. Matrix
-has a much saner security model than PGP email and uses proven,
-modern cryptographic constructions.
-
-If you must use PGP email, please use [my public key][2]. This
-key is also available from [keys.openpgp.org][1] under key ID
-`E0BFC34F1AC77FB5` or from an OPENPGPKEY record published under
-this domain.
-
-My email address/identity is my first name at this domain. The
-fingerprint for this key is `F080B1252C1F6A92F4B7FA11E0BFC34F1AC77FB5`.
-
-[0]: https://matrix.to/#/@avery:averywinters.org
-[1]: https://keys.openpgp.org/vks/v1/by-fingerprint/F080B1252C1F6A92F4B7FA11E0BFC34F1AC77FB5
-[2]: /pgp.asc

static/pgp.asc

@@ -1,13 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-xjMEZWU5lhYJKwYBBAHaRw8BAQdAb40BZm9A0bMPNGUNZnUv4FTRyoRZM+V74Pku
-YO5+i3nNJkF2ZXJ5IFdpbnRlcnMgPGF2ZXJ5QGF2ZXJ5d2ludGVycy5vcmc+wokE
-ExYIADEWIQTwgLElLB9qkvS3+hHgv8NPGsd/tQUCZWU5lgIbAwQLCQgHBRUICQoL
-BRYCAwEAAAoJEOC/w08ax3+158YA/0gB9sIfk4EBMlR1sHbtFIbLWDTCTt64o4tQ
-l1El0NvVAP4pQjxDwYqrlQWVIdopcyhNd5zwwqTxgQsvOsWOdnBECs44BGVlOZcS
-CisGAQQBl1UBBQEBB0Aks5ukEghksSEtadJm3U1aK7oA6n5rOVP9HERJ1dvoNwMB
-CAfCeAQYFggAIBYhBPCAsSUsH2qS9Lf6EeC/w08ax3+1BQJlZTmXAhsMAAoJEOC/
-w08ax3+1oJUBALiFzLegzv2EPbfvpIk7ttnJBkAz8FZ/+csBNDAQK/ErAPoC1k03
-8h/+sci+8PNgaEpl8rkNYg3wKBgwC338QRG6Bg==
-=K0eb
------END PGP PUBLIC KEY BLOCK-----

templates/index.html

@@ -1,5 +1,5 @@
 {% extends "zerm/templates/index.html" %}
 {%- block general_meta -%}
     {{ head::general_meta() }}
-    <link href="https://mastodon.averywinters.org/@avery" rel="me">
+    <link href="https://floss.social/@averywinters" rel="me">
 {%- endblock general_meta -%}