The initial deployment

First things first. Immediately after logging in via ssh I changed the default root password and installed fail2ban to slow down ssh brute forcing. Then I created user for myself and added my ssh keys. Next up ware ssh configs: disabling root login, password authentication and changing the default port - the usual stuff. Last piece of essential security stuff was enabling automatic security updates with unattended-upgrades package. Right after security comes ease of use so just incase I ever need to login via a miserable mobile connection I installed mosh. Final step was installing Docker and Docker-compose.

Docker stuff

For this site I used the official Nginx image with basics config generated on nginxconfig.io. The compose file is almost as simple as it gets

version: '2'

services:
  nginx:
    image: nginx:stable-alpine
    restart: unless-stopped
    expose:
      - 80
    networks:
     - proxynet
    environment:
      VIRTUAL_HOST: antonlehmus.me
      LETSENCRYPT_HOST: antonlehmus.me
      LETSENCRYPT_EMAIL: [email protected]
    volumes:
      - "./public:/var/www/html"
      #- "./nginx.conf.d:/etc/nginx/conf.d/default.conf"
      - "./nginx.conf:/etc/nginx/nginx.conf:ro"

networks:
  proxynet:
    external:
      name: proxynet

To get easy SSL I used jwilder/nginx-proxy with JrCs/docker-letsencrypt-nginx-proxy-companion images. This setup makes it super easy to add new sites in the future - all I need to do is add them to the “proxynet” docker network and give them couple of environment variables. With some trial and error I ended up on the following docker-compose.yml

version: '2'

services:
  nginx-proxy:
    image: jwilder/nginx-proxy:alpine
    container_name: nginx-proxy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    networks:
      - proxynet
    environment:
      - ENABLE_IPV6= "true"
      - DEFAULT_HOST= "antonlehmus.me"
    volumes:
      - "./nginx/vhost.d:/etc/nginx/vhost.d"
      - "./nginx/html:/usr/share/nginx/html"
      - "./nginx/certs:/etc/nginx/certs"
      - "/var/run/docker.sock:/tmp/docker.sock:ro"

  letsencrypt-nginx-proxy-companion:
    image: jrcs/letsencrypt-nginx-proxy-companion
    restart: unless-stopped
    container_name: letsencrypt-nginx-proxy-companion
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    networks:
      - proxynet
    volumes_from:
      - "nginx-proxy"

networks:
  proxynet:
    external:
      name: proxynet

Hugo

Getting started with Hugo was just as easy as I had hoped. First I crated a base for the site with hugo new site antonlehmus.me and a post with hugo new posts/hello_world.md. Then I picked a theme I liked, cloned it with git to themes folder, set up couple of variables in the config.toml and I was good to go. Now all I had to do was write some markdown and run hugo server -D to run hugo in development mode so I could see what I was doing. When I felt like first post was good enough I just ran hugo and then copied the public folder over with scp. While writing this post and skimming around Hugo docs I noticed some privacy related settings so of course I added them.

[privacy]
  [privacy.disqus]
    disable = true
  [privacy.googleAnalytics]
    anonymizeIP = true
    disable = false
    respectDoNotTrack = true
    useSessionStorage = true
  [privacy.instagram]
    disable = false
    simple = true
  [privacy.twitter]
    disable = false
    enableDNT = true
    simple = true
  [privacy.vimeo]
    disable = false
    simple = true
  [privacy.youtube]
    disable = false
    privacyEnhanced = true

I’m still kind of debating wether I want to use Google analytics or not. Maybe I should at least give it a try to see what it actually does.

But wait, there is more!

There’s still loads of things to do like:

  • optimizing stuff
    • site assets with hugulp
    • nginx confs for both the proxy and this site
    • Google page speed stuff
    • probably something else too
  • monitoring all the things
    • server
    • docker containers
    • uptime
    • but how?
      • cloud vs self hosted
      • Elastic stack?
      • Zabbix?
      • etc.
  • backups
    • cloud vs self hosted
      • maybe both?
  • migration
    • TeamSpeak
  • modifying or building Hugo theme

Luckily none of these are urgent. I’ve paid for the old server until next August and migrating TeamSpeak is the only essential thing on the list. Maybe one improvement and a post about it per moth would be reasonable pace to aim for.

Anton Lehmus Written by:

Hey hey, it's me again.