qlyoung's wiki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
personal_infrastructure [2023/09/08 23:12] – [OS] qlyoungpersonal_infrastructure [2024/06/16 01:02] (current) – [Cost] qlyoung
Line 1: Line 1:
 +====== personal infrastructure ======
 +
 +
 //tldr - docker compose, isolated servers// //tldr - docker compose, isolated servers//
  
Line 29: Line 32:
   pub((public))   pub((public))
   priv((private))   priv((private))
-  access(needs to be publicly accessible) --> pub +  data{stores sensitive data?} 
-  data(stores sensitive data) --> priv +  onlyme{used only by me?} 
-  onlyme(used only by me) --> priv+  data --> |yes| priv 
 +  data --> |no| onlyme 
 +  onlyme --> |yes| priv 
 +  onlyme --> |no| pub
 </mermaid> </mermaid>
  
Line 40: Line 46:
 ===== Public ===== ===== Public =====
  
-For the public sphere, I use cloud-based Linux VMs from one of the affordable providers. I run most of my stuff on a single shared CPU VM with 4 CPU cores, 8gb of RAM and 50gb of disk space (storage is a later section).+For the public sphere, I use cloud-based Linux VMs from one of the affordable providers. I run most of my stuff on a single shared CPU VM with 4 CPU cores, 4gb of RAM and 50gb of disk space (storage is a later section).
  
 For things that need to be exposed in the internet I think cloud is the best choice. From a network isolation perspective serving things from your home means untrusted traffic will be flowing within your home network. Apart from security concerns there are other problems: For things that need to be exposed in the internet I think cloud is the best choice. From a network isolation perspective serving things from your home means untrusted traffic will be flowing within your home network. Apart from security concerns there are other problems:
Line 49: Line 55:
   * Dynamic IP addresses makes access annoying   * Dynamic IP addresses makes access annoying
   * Advertising your home IP address is a mild security concern   * Advertising your home IP address is a mild security concern
 +    * can be mitigated if you rent an ultra cheap VPS and use it as a gateway; I did this initially but realized I can run everything on a cheap vps to begin with
   * Weather / residential power outages impact uptime   * Weather / residential power outages impact uptime
  
Line 241: Line 248:
 </mermaid> </mermaid>
  
-If possible, I also configure applications so that users are served files directly from B2 rather than having them proxied through my VM, which improves performance both in terms of load time and bandwidth usage. When you watch a video on my Peertube server, your browser is downloading the video directly from B2, instead of `B2 → VM → You`.+If possible, I also configure applications so that users are served files directly from B2 rather than having them proxied through my VM, which improves performance both in terms of load time and bandwidth usage. When you watch a video on my Peertube server, your browser is downloading the video directly from B2, instead of ''B2 → VM → You''.
  
 ====== DNS & HTTP & TLS ====== ====== DNS & HTTP & TLS ======
Line 268: Line 275:
 ===== DNS ===== ===== DNS =====
  
-Each service is on its own subdomain. All subdomains `CNAMEto the main domain name (`qlyoung.net`) which has an `Apointing to the public IP of the VM. In my private infrastructure, the `Arecord instead points to a Tailscale IP - but more on that in the networking section.+Each service is on its own subdomain. All subdomains ''CNAME'' to the main domain name (''qlyoung.net'') which has an ''A'' pointing to the public IP of the VM. In my private infrastructure, the ''A'' record instead points to a Tailscale IP - but more on that in the networking section.
  
 ===== HTTP ===== ===== HTTP =====
  
-nginx runs on the host and binds host ports 80 and 443. All docker containers bind to `(127.0.0.1, P)where `Pis a host port number of my choosing. Each service has its own subdomain and a corresponding nginx configuration:+nginx runs on the host and binds host ports 80 and 443. All docker containers bind to ''(127.0.0.1, P)'' where ''P'' is a host port number of my choosing. Each service has its own subdomain and a corresponding nginx configuration:
  
 <code> <code>
Line 383: Line 390:
 </code> </code>
  
-4. Set up new `CNAMErecord; `CNAME recipes.qlyoung.net -> qlyoung.net`+4. Set up new ''CNAME'' record; ''CNAME recipes.qlyoung.net -> qlyoung.net''
 5. Configure nginx, request and install TLS certificate 5. Configure nginx, request and install TLS certificate
 <code bash> <code bash>
Line 394: Line 401:
    $ certbot --nginx -d recipes.qlyoung.net    $ certbot --nginx -d recipes.qlyoung.net
 </code> </code>
 +
 6. ??? 6. ???
 7. Profit 7. Profit
Line 399: Line 407:
 The deployment process is identical for both internal and external services. The deployment process is identical for both internal and external services.
  
-===== Backups =====+====== Backups ======
  
 Everything, private and public, is backed up with [[https://restic.net/|restic]] to offsite locations. It runs daily on a ''cron'' job. Everything, private and public, is backed up with [[https://restic.net/|restic]] to offsite locations. It runs daily on a ''cron'' job.
  
-===== Cost =====+====== Cost ======
  
  
Line 410: Line 418:
 Public bill: Public bill:
  
-  * Compute: $40/mo+  * Compute: $24/mo
   * B2 Storage (~200gb): ~$2/mo   * B2 Storage (~200gb): ~$2/mo
-* Total: ~$45/mo+  * Total: ~$26/mo 
 + 
 +{{tag>from_blog technology}}
Panorama theme by desbest
personal_infrastructure.1694214742.txt.gz · Last modified: 2023/09/08 23:12 by qlyoung
CC Attribution-Noncommercial-Share Alike 4.0 International Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International