Follow

Is there a beginner's guide to self-hosting on a VPS and the kind of activities one should be prepared to take on while doing so?

I want to both get a bit of hands on experience doing that but primarily I want to try hosting Shaarli and Wallabag, probably with yunohost?

I'm a when it comes to this stuff and would love some advice. Thanks! :hackers_town:

@vortex_egg I got a lot of my early boxes and learning from low end box. The really gem isn't the deals, though those can be good. The real value is in the tutorials, how to's, and other helpful stuff they publish. Learned alot about first steps with a new public facing box and the joys and horrors of deploying via code.

lowendbox.com/category/tutoria

@crazypedia That is helpful thanks! I might end up getting one through Dreamhost because I already use them for shared hosting and the price seems decent... but the articles on this site look great.

@vortex_egg I'm pretty sure @kemonine has some experience hosting Wallabag, although I don't know if it relates directly to a VPS.

@vortex_egg I personally use docker (others i know use lxc/lxd) for self-hosting on top of a vps

Most projects these days have container deployment options and it tends to keep the 'crap' self-contained and i don't have to worry about my underlying OS much, if at all at that point

I currently use digital ocean for my hosting and have about a dozen different services running inside containers on it

I also use restic and pg_dump for backups to remote locations (i use backblaze b2 as well as a personal nas for restic destination)

Yunohost is a great option if you don't want to think too hard or deal with some of the underlying 'stuff' that's involved with self-hosting

Re @SetecAstronomy 's mention and Wallabag : I use their official docker container on my VPS with a postgresql container for the database.

@kemonine

Thanks that's really helpful.

I think eventually I do want to learn more about the underlying stuff (e.g. I'm familiar with using docker in an existing environment, but not setting up my own environment), but maybe not right now...

This project is competing for attention so I have to be judicious with how far I go down the rabbit hole on this swing of the orbit.

@SetecAstronomy

@vortex_egg

Docker isn't too painful to setup on a vps ; the docs are pretty good on that count ; you basically just install the daemon and start launching containers

if you go with a vps provider definitely look for how they handle increasing the size of the vps ; you can always start 'small' and grow up and into a full compliment of services

i started off with only a couple things and slowly built it up over years where i'm now running a vps with 8gb ram, 4 cpus and an additional 100gb block storage device for bulk storage (i have archivebox deployed so i need some serious storage)

@SetecAstronomy

@kemonine Are you using the digital ocean droplets for this?

@kemonine Hmmm now I'm interested in trying this approach. It will be easier to manage in the long run.

Other than backups, what other kind of administrative tasks do you end up either managing or automating for your setup? Updates and security? Networking between components?

Also thanks for the reference to Archivebox. I saw someone mention that the other day and then promptly forgot what it was called... as you can guess I'm trying to build an infrastructure for my external memory and data organization, so this is all very apt.

@vortex_egg i use restic plus a custom script for backing up postgres and mariadb (a couple apps have mariadb as a hard requirement)

it's a pretty straight forward deployment and heavy on containers. if it's not in a container i either write a docker file or move on

aside from that my rough setup is...

- debian
- database dump scripts in cron
- restic to home and to backblaze b2 for backup duties
- auto updates with NO reboot
- docker
- "services" network inside docker so i can have static ips for containers
- traefik (auto ssl for most services)
- acme.sh for services that are not behind traefik (prosody/matrix)
- matrix + synapse + element.io (each in a separate container, traefik creativity)
- prosody + converse.js plugin (not behind traefik)
- freshrss
- wallabag
- archivebox
- gitea
- [other things in containers]

@kemonine I have another question which is how you secure all this?

Someone brought up the idea to me that running a bunch of php or whatever apps on a vps in 2021 is a good way to be paying $5/month to host a hacked server. Their recommendation, if I was going to do it at all, was to set up OpenVPN or Wireguard and only exposing the apps or services on a vpn connection to my devices.

@vortex_egg

This is gonna be kinda long and boils down to : what is your threat model and how paranoid do you want to be?

Also see Ken Thompson's article 'reflections on trusting trust' (https://users.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)

To answer the question posted...

i use really good passwords and ssh via keys instead of passwords?

i also containerized the apps which has a byproduct of making it harder to hack the underlying server (you *can* it's just harder)

my threat model is such that with regular updates to my server + self-hsoting is better than using external services most of the time

i also don't include the well funded hackers or nation states in my thread model ; if a really good hacker group or well funded hacker group or a nation state wants to get into my servers they are going to no matter what i'm doing ; as an individual i don't have the necessary resources to avoid being hacked by such groups

there is also ease of use to consider too : a vpn can be hacked (gasp!) if it's not setup properly (wireguard is the wise choice for least likely to bite you in the ass config wise) and do i really give enough of a shit about having to have an active, permanent vpn conenction to use services like my own rss, wallabag and the like? i already use a password manager and random passwords so even if someone can guess my username they aren't gonna guess the passwords easily or without spending an absurd amount of time on breaking in. why would someone bother? that seems like a massive waste of their time and resources to me.

vps' are also hosted by an outside party ; nothing stops the governments of the world or police forces of the world from requesting an image of the vps disk and just taking my data that way ; or just try to break the account i use to manage my vps ; if you break into my vps account you can just use the api's to snapshot the disk and exfil data that way or just nuke my server from orbit (there's a reason i have local and external backups with different passwords and whatnot)

this is an incredibly dense topic and is driven by thread models, ease of use and what levels of pain you're willing to suffer to ensure 'they cant get in', etc

who do you trust? how many hoops do you want to jump through and keep on top of to ensure you're 'secure'?

security is layers upon layers and vigilance ; i don't have the time or fucks to give to be building a vpn infra that's setup on all the things to simply read and catalog the news or chat with others or...

i found my personal sweet spot and i advise others do the same

@vortex_egg I mostly used the yunohost documentation when I set it up - had to look up how to set up my consumer grade router to serve traffic as well, elsewhere, but I don’t remember where.

@vortex_egg Digital Ocean has a pretty comprehensive set of documentation for self hosting whatever off the shelf app you pretty much want.

Sign in to participate in the conversation
hackers.town

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.