stu/motherfuckingblog
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
motherfuckingblog/sites/jekyll-source/_posts/2025-06-22-wtf-is-this.md
Stewart Pidasso c021228161 init
2025-07-07 02:07:58 +00:00

5.5 KiB
Raw Blame History

title layout date
WTF Is this? Gimme the deets. post 2025-07-06 15:11:26

TL;DR Github Repo

For 99% of users:

  • a <20kb blog about web infrastructure that they don't understand
  • they found high due to its 99% SEO Scores
  • seems different, but they don't quite know why?
  • "yeah its whatever. no ads was nice." - Average Chad

For OG MotherfuckingWebsite.com enjoyers:

  • A way to learn about static site generators like Jekyll (Check out Hugo or 11ty too if this concept is new to you) -- A way to systemize and organize if you plan on having more than a handful of posts. -- Extensible, but not in the gross Wordpress way. For example, add search, table of contents, and more.
  • Some cool other shit in docker compose that makes it easier to own your data and your infrastructure.

For fucks sake whats all this other shit:

  • Isn't it weird products don't ship with security natively included? It's opinionated, but its safer than default in the othr shit.
    • Traefik - Reverse proxy your management interfaces and IP Allowlist them in an easy way. Secure yourself against any dumb idea you are bound to add later.
    • Crowdsec WAF - Crowdsec is legit innovating and deserves more attention. Crowdsourced blacklisting and malicious signature detection.
  • Data Privacy:
    • Forgejo - FOSS Github. Better Post Revision History than Wordpress. But
    • Umami - FOSS Google Analytics Alternative. Privacy forward, 1st party.

How TF Do I Make A Blog

Configure your DNS and Firewall on your cloud provider. You should restrict port 333 to trust IP addresses only.

In the example I have used Linode API to get a wildcard cert. If you don't care about TLS, you are wrong, but I get it. Traefik will create self signed certs for you, but you will likely need to remove or modify the TLS settings in the compose file.

Once you have set up your cloud provider:

git clone thisRepo
cd thisRepo
cp .env.example .env
vim .env # make it match your environment
docker compose up

Deployment

It is capable of running on a 1 shared CPU, with 2GB of RAM as tested on Linode.

Running on 2 shared CPUs with 4 GB of ram is sufficient for the full stack to run as smooth as butter for 99% of all users. On my personal fork unrelated to motherfuckingblog.com, I keep my Forgejo instance on another server with a Nextcloud instance and additional hardening. This isn't a bible, its a starter kit to make it easier for normal people to iterate from. Take what you need and throw the rest out.

Security

Products should ship secure by default or at the least have a small handful of options that are easy to configure and harden.

This comes with Crowdsec WAF which will share limited data with crowdsec. If strict data isolation is essential. You need to remove this and consider a different WAF. There are alternatives, but at least be aware of what you are losing. Crowdsec with AppSec protects against human laziness. Essentially it acts as a real-time updated block list that matches against known malicious signatures in outdated software that you probably haven't patched yet, ya filthy animal.

All Admin Interfaces are restricted to an IP Allowlist. Almost every Org has VPNs, this is what they are meant for. If you are a noob and you just curl icanhazip.com then paste in your IP. Prepare to temporarily lose access. Your ISP will rotate your IP and you will think you are SOL. You are not. You need your own private VPN (which is actually easy to do), or you need to bind these to the local interface then perform ssh port forwarding anytime you want to perform maintenance. That sounds scary, but I promise it is like two simple commands. I'm pretty sure you can just change the port binding at the top of the compose file from 333:333 to 127.0.0.1:333:333. Then you simply ssh user@remote -L 333:127.0.0.1:333

The Jekyll Admin interface had no authentication by default so basic http authentication was added via Traefik.

Additionally there is a strong benefit to using a non-standard port / custom entry point in Traefik (port 333 in this example) in the docker-compose file for this project. This allows for redudant whitelisting. On my cloud provider I also whitelist my IP address to those ports and deny all others. This means even if traefik IPAllowlisting is bypassed via some hacker black magic, I have a secondary defense.

Random Aside

It's just insane to me we just leave admin login portals open in the wild. WTF are we doing?

Please guess employee passwords on my public website an unlimited number of times.
- Every Chief Information Security Officer

Issues

It's ugly!

While, I find this beautiful. You may perfer one of the thousands of free themes for Jekyll which will make your site look exactly like the corporate garbage flooding the internet.

X Feature is Broken

Yep! Personally I know of the error that appears, but is incorrect in jekyll admin interface. But honestly that is at least half the point. If you properly restrict your broken tech behind network level access controls it mitigates the risk for a large portion of people.

Also this isn't a pick it up and make an identical blog. It is a starter kit. I know half of you are going to rip Jekyll admin out. If you plan on using it you are welcome to open issues with them or figure out the way to use. It works for my purposes and allows me to create, edit, and tag posts. I need nothing else.