First things first. Immediately after logging in via ssh I changed the default root password and installed fail2ban to slow down ssh brute forcing. Then I created user for myself and added my ssh keys. Next up ware ssh configs: disabling root login, password authentication and changing the default port - the usual stuff. Last piece of essential security stuff was enabling automatic security updates with unattended-upgrades package. Right after security comes ease of use so just incase I ever need to login via a miserable mobile connection I installed mosh. Final step was installing Docker and Docker-compose.
Docker stuff
For this site I used the official Nginx image with basics config generated on nginxconfig.io. The compose file is almost as simple as it gets
version: '2'
services:
nginx:
image: nginx:stable-alpine
restart: unless-stopped
expose:
- 80
networks:
- proxynet
environment:
VIRTUAL_HOST: antonlehmus.me
LETSENCRYPT_HOST: antonlehmus.me
LETSENCRYPT_EMAIL: [email protected]
volumes:
- "./public:/var/www/html"
#- "./nginx.conf.d:/etc/nginx/conf.d/default.conf"
- "./nginx.conf:/etc/nginx/nginx.conf:ro"
networks:
proxynet:
external:
name: proxynet
To get easy SSL I used jwilder/nginx-proxy with JrCs/docker-letsencrypt-nginx-proxy-companion images. This setup makes it super easy to add new sites in the future - all I need to do is add them to the “proxynet” docker network and give them couple of environment variables. With some trial and error I ended up on the following docker-compose.yml
version: '2'
services:
nginx-proxy:
image: jwilder/nginx-proxy:alpine
container_name: nginx-proxy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
networks:
- proxynet
environment:
- ENABLE_IPV6= "true"
- DEFAULT_HOST= "antonlehmus.me"
volumes:
- "./nginx/vhost.d:/etc/nginx/vhost.d"
- "./nginx/html:/usr/share/nginx/html"
- "./nginx/certs:/etc/nginx/certs"
- "/var/run/docker.sock:/tmp/docker.sock:ro"
letsencrypt-nginx-proxy-companion:
image: jrcs/letsencrypt-nginx-proxy-companion
restart: unless-stopped
container_name: letsencrypt-nginx-proxy-companion
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- proxynet
volumes_from:
- "nginx-proxy"
networks:
proxynet:
external:
name: proxynet
Hugo
Getting started with Hugo was just as easy as I had hoped. First I crated a base for the site with hugo new site antonlehmus.me and a post with hugo new posts/hello_world.md. Then I picked a theme I liked, cloned it with git to themes folder, set up couple of variables in the config.toml and I was good to go. Now all I had to do was write some markdown and run hugo server -D to run hugo in development mode so I could see what I was doing. When I felt like first post was good enough I just ran hugo and then copied the public folder over with scp. While writing this post and skimming around Hugo docs I noticed some privacy related settings so of course I added them.
[privacy]
[privacy.disqus]
disable = true
[privacy.googleAnalytics]
anonymizeIP = true
disable = false
respectDoNotTrack = true
useSessionStorage = true
[privacy.instagram]
disable = false
simple = true
[privacy.twitter]
disable = false
enableDNT = true
simple = true
[privacy.vimeo]
disable = false
simple = true
[privacy.youtube]
disable = false
privacyEnhanced = true
I’m still kind of debating wether I want to use Google analytics or not. Maybe I should at least give it a try to see what it actually does.
But wait, there is more!
There’s still loads of things to do like:
- optimizing stuff
- site assets with hugulp
- nginx confs for both the proxy and this site
- Google page speed stuff
- probably something else too
- monitoring all the things
- server
- docker containers
- uptime
- but how?
- cloud vs self hosted
- Elastic stack?
- Zabbix?
- etc.
- backups
- cloud vs self hosted
- maybe both?
- cloud vs self hosted
- migration
- TeamSpeak
- modifying or building Hugo theme
Luckily none of these are urgent. I’ve paid for the old server until next August and migrating TeamSpeak is the only essential thing on the list. Maybe one improvement and a post about it per moth would be reasonable pace to aim for.
