Self-hosting, Easy or Complicated?

Well, i have finally rented a server to tinker with. Self-hosting has been on the back of my mind for the few years, and i'm excited. But now, how do i do it?

First Steps

I often visit r/selfhosted, and it's a good point to start if you are lost. First, i tried self-hosting on bare metal, i.e. no virtualisation or docker. And it starts to get confusing, as a first timer. OnTrack was the first app i tried to install, and truth be told, it wasn't a wise decision. The documentation assumes you have prior knowledge of Ruby and installing Postgresql, which i don't. Managed to get it installed after a few grueling days, and exposed it on localhost:3000, but another problem came. I can't access it from outside! Turned out OnTrack only listened on 127.0.01, and after searching a bit, i found that i need a reverse proxy to forward it to internet.

Immediately i turned to Caddy, which i heard often due to its automatic TLS provision out-of-the-box. So i installed one. But again, my lack of experience with anything Linux hits me. I don't know where to put the Caddyfile, beside, what should i put on the Caddyfile so i can access localhost:3000 from outside? Reverse proxying example doesn't work, and i threw my hands in exasperated sigh. You know what? Self-hosting is not as easy as it looked like. (In hindsight, it was just my lack of knowledge rather than anything, or perhaps i should've tried something easier like Wordpress)

Took almost two-weeks off to cool my mind before deciding to give another shot.

Docker, the saviour.

Then Docker took away my attention. I have been avoiding it since the beginning since i don't know much about Docker, and it looked complicated. Containers? Docker-compose? Swarm? Docker network? It was just a buzzword in my ears. But i figure that it shouldn't be that complicated as my previous attempt. And so i jumped.

I'm a pretty paranoid person, so i searched for 'best security practice for Docker', in case i did the worst. The major things i learned was that Docker 'bypassed' UFW, and it's best to never expose your Docker socket (/var/run/docker.sock).

Fortunately, i stumbled upon this wonderful Docker-selfhosted-apps guide by BaptisteBdn on Github. (You are a lifesafer, truly.) I learned that you can fix 'Docker bypassing UFW' with this nice guide by Chaifeng. The fundamental of Docker is explained succinctly there by BaptisteBdn, and it was at this point i was wondering, 'Maybe i can do it.'

Interestingly, i didn't tried one of his apps first, but i was trying installing Caddy Docker Proxy by lucaslorentz. Honestly, i just fell in love with Caddy for its out-of-the-box simplicity, compared to Traefik labels at first sight. (After installing both at later point in time, i can say at my scale both are pretty much easy to use and install.) I failed a few times here, took me almost a week to get a Grav site, this site, running. I realised that most of my mistake is basically just typos here and there, which is actually quite significant when it comes to configuration. For example, i was trying “{{upstream}}” when trying to reverse proxy a container, and i missed the 's' in “{{upstreams}}” there. Another example was that i kept forgetting the 's' in docker-compose networks and environments configuration. As English is not my native language, i think i can get a pass here (hopefully).

Down the Rabbithole

Afterwards, i tried installing a more 'complex' apps, with database and such. Typing passwords and sensitive information on a plain docker-compose file always made me nervous, and fortunately i learned that you can pass it as a secret file! This MySQL installation guide helped me a lot, after i learned that you don't actually need Docker swarm for secrets to be passed. Bonus point i learned you can use openssl rand command to generate a random password and pipe it to a file. No more copy paste!

That taken care of, at this point i'm starting to consider VPN to access my service. Exposing a private apps to the internet seems like a major risk, and beside, i get to set up a VPN. Really cool. Both Wirehole guide and BaptisdeBdn's wireguard-unbound-pihole guide made it a breeze, and i'm really thankful for that. The headache came when i tried to install a Wireguard client on Ubuntu, and found out that Wireguard has no client apps? Just wg-quick, and guides out there pointed out you need to generate a private and public key for you to exchange with your server. Turned out, the Wireguard images have provided a ready-to-use conf file (and QR code) for you to use directly on your devices. Put it on /etc/wireguard/wg0.conf, run sudo wg-quick up wg0, sudo systemctl enable wg-quick@wg0.service, sudo systemctl start wg-quick@wg0.service, and you are good to go! People said it's easier than setting an OpenVPN client, but i couldn't attest that since Wireguard is my first experience in dealing with VPN.

And i went crazy after that. Installed note-taking apps, automation tools, Gotify, and so on. I must say it's really a breeze in self-hosting with Docker once you got past the initial confusion. I might need to run a nmap scan on my server again to find rogue open port, and pen testing it i guess so it's safe. Or am i overdoing this stuffs? Eh, i guess no one know at this point.