56 lines
4.9 KiB
Markdown
56 lines
4.9 KiB
Markdown
---
|
|
title: Obligatory Rant/Background
|
|
layout: post
|
|
---
|
|
|
|
All I wanted was a simple small af static blog where I owned the stack and the data. But the **problems**:
|
|
* Thinking about CSS between paragraphs ruins my ability to write.
|
|
* TinyMCE's minified and compressed core is [100x larger](https://github.com/tinymce/tinymce/issues/4028) than my entire front end codebase.
|
|
* Managing more than a dozen posts is a nightmare.
|
|
* Wordpress is somehow even worse.
|
|
* Need to add search, tags, or any other features? Almost everything requires Node, PHP, or something insane that is probably millions of times larger than my entire codebase.
|
|
* Hosting? Every Jekyll post is how to host on Microsoft's Github. (Surely Microsoft would [never](https://arstechnica.com/information-technology/2025/02/copilot-exposes-private-github-pages-some-removed-by-microsoft/) [misuse](https://www.wired.com/story/github-commercial-ai-tool-built-open-source-code/) your data. )
|
|
* Want to know if anyone even looked at your site? Good thing Google hasn't been using your data to literally facilitate a genocide or anything... [oh wait](https://web.archive.org/web/20240720084622/https://www.wired.com/story/amazon-google-project-nimbus-israel-idf/).
|
|
|
|
|
|
So this is my opinionated attempt to move the needle the other direction.
|
|
|
|
**If you didn't understand anything I just said** throw it in an LLM/"AI" and ask it to explain. You can understanding anything you set your mind to. Don't doubt yourself.
|
|
|
|
**For the Nerds who are still with me**: This is a ***self-hosted*** **starter kit** for people sick of big bro. It is at the point where it could be taken several directions.
|
|
- Dev and Prod versions of the site for development? Check.
|
|
- 10kb static site? Check
|
|
- Layers of security? Check
|
|
- First Party data? Check
|
|
|
|
Check out other posts for some ideas or to learn more. In short, this is an opinionated **Docker Compose** project that uses:
|
|
- **Traefik** for reverse proxying all admin interfaces.
|
|
- **Jekyll** the same tech behind Github Pages, to build static sites.
|
|
- **Nginx** as the lightweight webserver.
|
|
- **Forgejo** for version control.
|
|
- **Umami Analytics** we are all a little vain.
|
|
- **Crowdsec WAF** for additional security.
|
|
|
|
This gives me a clean, cloud-based markdown writing environment with proper version control and monitoring.
|
|
|
|
|
|
### Deployment
|
|
It is capable of running on a 1 shared CPU, with 2GB of RAM. RAM is the limiting factor.
|
|
Running on 2 shared CPUs with 4 GB of ram is sufficient for the full stack to run as smooth as butter for 99.9% of all users.
|
|
|
|
On my personal fork unrelated to motherfuckingblog.com, I keep my Forgejo instance on another server with a Nextcloud instance and additional hardening. This isn't a bible, its a starter kit to make it easier for normal people to iterate from. Take what you need and throw the rest out.
|
|
|
|
|
|
|
|
### Security
|
|
Products should ship secure by default or at least have a small handful of options that are easy to configure and harden the product.
|
|
|
|
This comes with Crowdsec WAF which will share limited data with crowdsec. If strict data isolation is essential. You need to remove this and consider a different WAF. There are alternatives, but at least be aware of what you are losing. Crowdsec with AppSec protects against human laziness. Essentially **it acts as a real-time updated block list** that matches against known malicious signatures in outdated software that you probably haven't patched yet, ya filthy animal.
|
|
|
|
***All Admin Interfaces are restricted to an IP Allowlist.*** Almost every Org has VPNs, this is what they are meant for.
|
|
*If you are a complete noob*. It is okay. You will need to learn a bit to use this project, but it is within grasp. Don't discount yourself. **There is a big gotcha here.** If you just `curl icanhazip.com ` then paste in your IP on the allowlist. It will work. YAY! Party time! But *prepare to temporarily lose access*. Your ISP will rotate your IP and you will think you are shit outta luck. You are not. Ideally you would use your own private VPN (which they literally have scripts to deploy, it's easy to do), or you need to bind these to the local interface then perform ssh port forwarding anytime you want to perform maintenance/ view your dashboards. That sounds scary, but I promise it is like two simple commands. Though some additional config is probable.
|
|
|
|
The **Jekyll Admin interface had no authentication by default so basic http authentication was added** via Traefik. For God's sake, keep your admin interfaces from being externally accessible to anyone but trusted individuals.
|
|
|
|
|
|
Lastly, there is a strong benefit to **using a non-standard port / custom entry point in Traefik** (port 333 in this example) in the docker-compose file for this project. This allows for redudant whitelisting. On my cloud provider I also whitelist my IP address to those ports and deny all others. This means even if Traefik `IPAllowlist` is bypassed via some hacker black magic, I have a secondary defense.
|