Server & Website Updates
I just finished migrating sequentialread.com to an ODROID HC1, plus tons of updates to my infrastructure & apps!
Long ago, I set up this website on an old (and now, ancient) discarded HP desktop dubbed the recycle computer ♻️.
I hadn't updated it in many years, as I was busy being a career man, so I did the typical thing and just kept using the old system... For many years. For about four and a half years, I think. It served me well, but was time to put it out to pasture. I'm pretty sure I paid more for electricity to run that thing than I saved by getting a hand-me-down computer for free. I never planned to keep it around that long, it just sort of.. happened.
But now that I have more time on my hands, I decided it's time to update, and I chose my ODROID HC1 as a target platform for my new server, simply because I was given one as a gift, so I had an extra, and I liked the stonk since a long time ago.
The HC1 is essentially the same board as the ODROID XU4, however instead of a USB 3.0 port, it has a powered SATA III port for a hard drive and a fatass heatsink built in, functioning as the frame/enclosure. It's perfect for self-hosting, its cheap and the SATA port being built in, having a reliable power supply for both the disk and the CPU eliminates a lot of potential worries that might otherwise plague SBC (single board computer) servers.
The CPU is decently fast (8 cores!), the USB 3.0-based SATA III storage works great, the only downside I can see for this machine has to be the RAM; it only comes with 2GB, compared to the 4GB or 8GB on the Raspberry Pi 4.
But for my use case it seems to work fine, I am currently running a whole slew of apps on there via docker-compose, including the page you are reading right now, and it's using less than half of the avaliable memory. Horray for golang-based web services!
I'm using Armbian for the host operating system, and I have to say, I've rapidly become a fan of the Armbian project and community. They are very approachable online, and get this, the build script for the operating system worked on the first try when I tried to make a custom image on my amd64 workstation! I was able to easily produce an installable image file with my custom packages and software pre-installed / pre-compiled.
During the process of migrating / updating all my apps, I touched just about everything I host and even completely re-wrote some things.
What's New
-
I updated docker to the latest version and started using the userns-remap feature which allows me to automatically run containers in a separate user namespace, giving an extra layer of defense-in-depth.
-
I started using docker-compose v3, with individual docker networks for applications and groups of applications. This allows me to control whether certain apps are allowed to access the internet ("phone home") or not, and limit which other apps they can talk to.
-
I replaced nginx and certbot with Caddy Server 2
-
I replaced my jwilder/nginx-proxy ingress reverse proxy configuration script with my own custom code to automatically configure Caddy based on docker container labels.
-
I updated the Ghost blogging software (what I use to create this page) to the latest version.
-
I migrated from an old version of gogs (go git service) to the community-based gogs fork Gitea for my git server.
- Gogs is a much cooler name, but I decided to favor something community supported 😛
-
I completely re-wrote my blog comments system. It used to be a node.js app using leveldb, now it's a go app using BoltDB
- I used to use Google ReCaptcha as an anti-spam measure on my blog comments, but I replaced it with my own unique and home-grown solution called 💥PoW! Captcha.
- Now the blog comments support threads & email notifications too!
-
I updated my password manager to use the scrypt hash function for key derivation, and switched from Amazon S3 to Backblaze.
-
I implemented self-hosted GoatCounter web analytics for all of my web apps.
-
I started publishing the source code of my infrastructure configuration
-
You can see my server stats on my grafana instance, backed by influxdb and collected by telegraf.
-
I implemented my docker-api-security-gateway so I can give my caddy ingress auto-configurator & telegraf metric collector access to the docker API without the associated privilege escalation risks.
phew!🥵 this was hard work. I spent at least a month doing all of this stuff, but I'm proud of where I ended up. I'm glad to have up-to-date & secure tools to continue publishing and working. Plus I, have better visibility into my site & the web traffic, for what it's worth.
I wanted to have a more sturdy foundation as I continue to build greenhouse, and I think this is a great start.
I'll leave it at that for now, but I'm excited to write in depth about some of these updates in the future.