Rewrite and update documentation

doc/security/code-server.fail2ban.conf

@@ -1,10 +1,7 @@
 # Fail2Ban filter for code-server
-#
-#
 
 [Definition]
 
-
 failregex = ^INFO\s+Failed login attempt\s+{\"password\":\"(\\.|[^"])*\",\"remote_address\":\"<HOST>\"
 
 ignoreregex =
@@ -12,4 +9,3 @@ ignoreregex =
 datepattern = "timestamp":{EPOCH}}$
 
 # Author: Dean Sheather
-

doc/security/fail2ban.md

@@ -1,4 +1,7 @@
-# Protecting code-server from bruteforce attempts
+# Protecting code-server from Bruteforce Attempts
+
+<!-- TODO: remove this notice -->
+### **NOTE: FAILED LOGIN ATTEMPT LOGGING IS NOT IN THE CURRENT VERSION AND WILL BE RELEASED IN V2.**
 
 code-server outputs all failed login attempts, along with the IP address,
 provided password, user agent and timestamp by default. When using a reverse
@@ -39,4 +42,3 @@ authentication attempts for many applications through regex filters. A working
 filter for code-server can be found in `./code-server.fail2ban.conf`. Once this
 is installed and configured correctly, repeated failed login attempts should
 automatically be banned from connecting to your server.
-

doc/security/index.md

@@ -0,0 +1,8 @@
+# Security Guides
+
+We recommend users running code-server setup SSL and fail2ban on their
+instances for improved security and resilience to attacks.
+
+* [Self-signed SSL guide](./ssl.md)
+* [Let's Encrypt SSL guide](./ssl-certbot.md)
+* [Fail2Ban setup guide](./fail2ban.md)

doc/security/ssl-certbot.md

@@ -0,0 +1,63 @@
+# Generate a Certificate Using Let's Encrypt 🔒
+
+To get around the certificate warnings in Chrome, you might want to install a
+certificate from a trusted Certificate Authority (CA). Luckily, there are CAs
+like [Let's Encrypt](lets-encrypt) which provide certificates for free.
+
+[lets-encrypt]: https://letsencrypt.org/
+
+---
+
+### Using Certbot
+
+[Certbot](certbot) is the program we'll be using to issue certificates from
+Let's Encrypt.
+
+> Pre-requisites: You will need a domain name or subdomain pointed to the IP
+> address of your server.
+
+1. Install Certbot by heading to the [instructions page](certbot-instructions).
+   Select **None of the above** for the software and the right operating system
+   for your setup.
+2. Follow the installation instructions, and stop once you get up to the part
+   where you run the `certbot certonly` command.
+3. Ensure your code-server instance isn't running, and any other webservers that
+   could interfere are also stopped.
+4. Run the following command, replacing `code.example.com` with the
+   hostname/domain you want to run your server on, to issue a certificate:
+   ```
+   sudo certbot certonly --standalone -d code.example.com
+   ```
+5. Follow the prompts, providing your email address and accepting the terms
+   where required.
+6. Once the process is complete, it should print the paths to the certificates
+   and keys that were generated. You can now restart any webservers you stopped
+   in step 2.
+
+[certbot]: https://certbot.eff.org/
+[certbot-instructions]: https://certbot.eff.org/instructions
+
+---
+
+### Starting code-server with a Certificate and Key
+
+Just add the `--cert` and `--cert-key` flags when you run code-server:
+
+```shell
+./code-server --cert=/etc/letsencrypt/live/code.example.com/fullchain.pem --cert-key=/etc/letsencrypt/live/code.example.com/privkey.pem
+```
+
+You can now verify that your SSL installation is working properly by checking
+your site with [SSL Labs' SSL Test](ssl-labs-test).
+
+[ssl-labs-test]: https://www.ssllabs.com/ssltest/
+
+---
+
+### Next Steps
+
+You probably want to setup automatic renewal of your certificates, as they
+expire every 3 months. You can find instructions on how to do this in
+[Certbot's documentation](certbot-renew-docs).
+
+[certbot-renew-docs]: https://certbot.eff.org/docs/using.html?highlight=hooks#renewing-certificates

doc/security/ssl.md

@@ -1,24 +1,33 @@
-# Generate a self-signed certificate 🔒
+# Generate a Self-signed Certificate 🔒
 
-code-server has the ability to secure your connection between client and server using SSL/TSL certificates. By default, the server will start with an unencrypted connection. We recommend Self-signed TLS/SSL certificates for personal use of code-server or within an organization.
+code-server has the ability to secure your connection between client and server
+using SSL/TSL certificates. By default, the server will start with an
+unencrypted connection. We recommend Self-signed TLS/SSL certificates for
+personal use of code-server or within an organization.
 
-This guide will show you how to create a self-signed certificate and start code-server using your certificate/key.
+This guide will show you how to create a self-signed certificate and start
+code-server using your certificate/key.
 
 ## TLS / HTTPS
 
-You can specify any location that you want to save the certificate and key. In this example, we will navigate to the root directory, create a folder called `certs` and cd into it.
+You can specify any location that you want to save the certificate and key. In
+this example, we will navigate to the root directory, create a folder called
+`certs` and cd into it.
 
 ```shell
 mkdir ~/certs && cd ~/certs
 ```
 
-If you don't already have a TLS certificate and key, you can generate them with the command below. They will be placed in `~/certs`
+If you don't already have a TLS certificate and key, you can generate them with
+the command below. They will be placed in `~/certs`.
 
 ```shell
 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ~/certs/MyKey.key -out ~/certs/MyCertificate.crt
 ```
 
-You will be prompted to add some identifying information about your organization
+You will be prompted to add some identifying information about your
+organization:
+
 ```shell
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
@@ -35,19 +44,27 @@ Organizational Unit Name (eg, section) []:Docs
 Common Name (e.g. server FQDN or YOUR name) []:hostname.example.com
 Email Address []:admin@example.com
 ```
->If you already have a TLS certificate and key, you can simply reference them in the `--cert` and `--cert-key` flags when launching code-server
+
+> If you already have a TLS certificate and key, you can simply reference them
+> in the `--cert` and `--cert-key` flags when launching code-server.
 
 
-## Starting code-server with certificate and key
+## Starting code-server with a Certificate and Key
 
-1. At the end of the path to your binary, add the following flags followed by the path to your certificate and key like so. Then press enter to run code-server.
-   ```shell
-    ./code-server --cert=~/certs/MyCertificate.crt --cert-key=~/certs/MyKey.key
-   ```
-2. After that you will be running a secure code-server.
+Just add the `--cert` and `--cert-key` flags when you run code-server:
 
-> You will know your connection is secure if the lines `WARN  No certificate specified. This could be insecure. WARN  Documentation on securing your setup: https://coder.com/docs` no longer appear.
+```shell
+./code-server --cert=~/certs/MyCertificate.crt --cert-key=~/certs/MyKey.key
+```
 
-## Other options
+> You should check that the
+> `WARN  No certificate specified. This could be insecure` are no longer visible
+> in the output.
 
-For larger organizations you may wish to rely on a Certificate Authority as opposed to a self-signed certificate. For more information on generating free and open certificates for your site, please check out EFF's [certbot](https://certbot.eff.org/). Certbot is a cli to generate certificates using [LetsEncrypt](https://letsencrypt.org/).
+## Other Options
+
+For larger organizations you may wish to rely on a trusted Certificate Authority
+as opposed to a self-signed certificate. For more information on generating free
+and open certificates for your site, please check out EFF's
+[certbot](https://certbot.eff.org/). Certbot is a cli to generate certificates
+using [LetsEncrypt](https://letsencrypt.org/).