Setting servers up is a pain in the ass. There’s so many installation steps for each service, and then there’s the potential for conflicting services, and then when you have to set everything up again due to migration or something like that, you give up because it’s just so much manual work. Luckily, I have Docker to make things less difficult.
On my VPS, I’m running several dockerized self-hosted apps right now, including:
- api.astrid.tech, the backend to this website that I was talking about last issue
- Caddy as the reverse proxy for everything
- Trilium Notes, on notes.astrid.tech, and password-protected so you can’t access it >:(
- OpenVPN, on vpn.astrid.tech
- Firefly III, on the OpenVPN network
- Keycloak, which I haven’t figured out how to use for authentication yet
- DokuWiki, on wiki.dnd.astrid.tech, for keeping track of the D&D campaign I’m running and possibly future ones too
These are all configured with the IaC repo here. The last commit before I published this article was commit 56e26b.
Every app gets its own docker-compose file and folder. This makes it easy for me to test that everything runs and is configured correctly on my local machine. Once I’m done with ensuring that I didn’t royally fuck up the configs, I’m probably 80% of the way there. I can push to the git repo and run the app in production.
Every app gets its own internal network for compartmentalization. However, there are a couple of shared networks that I’m using for specific purposes:
proxied: This network includes the Caddy proxy server and every app with a web interface.
vpn: This network includes the OpenVPN server and every app that I want to restrict.
Where to go from here?
I have a whole checklist of things I want to try next.
Recomission my old laptop into a server hooked up to the VPN. This will allow me to cheaply and relatively securely extend the functionalities of my infrastructure.
Proper centralized logging. I will run FileBeat and possibly a few other Beats on the VPS, then run and an ELK stack on the laptop. I’m doing it this way instead of just running ELK on the VPS mostly for performance reasons; from what I’ve heard, ElasticSearch is a memory and CPU hog. There’s some nice security benefits that come with that too, because (in theory) it will be hard to get to my laptop.
Actually set up backups. I don’t know how I’m planning on doing this, but I imagine it’s probably best to do it on my VPN-connected laptop as well. You might notice that there’s a lot dependent on the VPN laptop.
Expand the network. I learned from someone at the Cal Poly Linux Users Group that Oracle gives you two free 1GB 1-core VPSes, along with 2 databases, a bunch of storage, and a load balancer! I can definitely move my OpenVPN server to one of these, for further compartmentalization of my network. As for the other one, I’ll have to figure something else to run on that.
Further expand the network. I estimate I have around 4 non-zero Raspberry Pis lying around my room (I think there’s a 2B, 3B, 3B, and 3B+, but don’t quote me on that). One of those is being used for OctoPrint, but suppose I were to cluster the other three and run god knows what on them…
Learn Kubernetes. If I’ve accomplished steps (1) and (4), then I’ll have 4 different machines I’m working with. Step (5) will mean I have 7 machines. It might be a good idea to learn how to Kubernetes. I think I can do it with step (5).
Self-host MOAR apps! Server management is painful sometimes, but it’s really fun! The end product is a complicated, well-functioning system that works, and that’s always really satisfying.