Purpose

The OSE Development Server serves as both a hardware mismatched staging node for our Production Server and as a development server.

Security

Because this server is a staging server, it necessarily has mirrored state (ie: DBs & files) from production. This state contains very sensitive content including, for example, databases of our users' PII such as names, addresses, email addresses, usernames, and (hashed) passwords.

And because this server is also a development server, at any given time it's likely to be running untested code and insecure configurations.

Therefore, to keep the data safe on this machine, only two services should be exposed on the Internet:

1. SSH
2. OpenVPN

All other traffic must be blocked by iptables.

Both of these services must be hardened. All developers working on the OSE Dev server should first authenticate to OpenVPN. Once given a "local" IP address by OpenVPN, they can freely & securely interact with the dev server.

Initial Creation (Aug 2019)

On August 1st, 2019 Marcin approved my (Michael Altfield) request to spend $100/year on a development server to facilitate the a POC for Discourse (and Askbot) without breaking prod.

The intention was to spin-up the cheapest hetzner cloud node with a 50G block volume. So a CX11 @ 2.49 EUR/mo w/ 1 vCPU, 2G RAM, & 20G disk) + 50G block storage @ 2.00 EUR/mo (total @ 4.49 EUR/mo). That's compared to our existing dedicated production server w/ 4 CPUs, 64G RAM, & 2x 250G disks @ 39 EUR/mo.