As I’m letting perfectionism and what I’m currently learning and working on deter me from getting more content onto here sooner. I thought I’d post a quick rundown of how I have configured this site just to get something on here and because I’m quite pleased with the end result and figure it may be helpful to anyone who would like to set up something similar.

My initial goal was to keep things as fundamental as possible, I’ve previously setup nginx and Let’s Encrypt and written basic HTML, CSS, JS and PHP, but for the sake of convenience and not wasting too much time centering a div, I decided to look into what options I have available that can generate most of the code and take care of the styling for me.

In my brief research, most of the popular open source options were written in Node.js which I personally try to avoid like the plague. Hugo being written in Go and otherwise keeping things static and simple as well as having theme support made it my first choice and I haven’t looked back since. I pretty quickly found this beautiful theme for it, which fit the image I had in my mind. I’m a little stuck in the past and a sucker for TUI-style anything because of my preference for TUIs in general. There’s no fancy javascript animations or PHP functionality here but it reminds me of websites from my childhood and that makes me happy.

For hosting I looked for a cheap Debian VPS hosted here in Perth and did the following:

  • setup SSH keys and tightened SSH access
  • made an administrator user with sudo access and a non-administrative blog user
  • disabled root user
  • installed and configured ufw
  • installed and configured fail2ban
  • created subdomain blog. and configured DNS entries to point to the vps
  • installed and configured nginx and configured blog site (separately from the root domain incase I want to use that later)
  • installed letsencrypt and configured nginx https
  • ensured site directory permissions are correct
  • configured automatic upgrades with unattended-upgrades
  • did some minor kernel hardening

I then installed Hugo and the hugo-theme-terminal and configured my blog user to work with it and build the site into the directory nginx is configured to serve. It was pretty obvious git was going to become useful for saving me from manually backing up the site so I then installed that and setup a private repo and a ssh key for pushing/pulling from it which I configured as a read-only deploy key. Finally I wrote a short cron script to check if the repo has changed once an hour, pull the changes if it has and build the site with Hugo.

The minimal static nature of the site reduces the attack surface a lot and I’ve hardened the VPS itself as much as I can. If the VPS does get compromised, I’m not storing anything on here that I’m not already sharing publicly and I can easily revoke the read-only auth key via GitLab from my dev system. Then destroy the VPS, undo any defacement from my local repo on my dev system, setup a new VPS with a new read-only key, pull the repo and be back up.

# One of my new side projects now is to explore better solutions for monitoring the site and being alerted of changes I haven’t made as well as ensuring my process for revoking the key is fast so I can minimize the time it remains defaced in such a situation. I’d also like to soon move from debian to some kind of immutable alternative as I’m starting to become a fan of the immutable desktop OS’s I’m using and I’m eager to try a server version.

Doing it this way lets me make edits to the site locally on my dev system (no need to scp images over to the VPS, I can just copy them into the dir and git push handles that for me), push the changes when I’m ready, and either ssh in and pull the repo if I’m desperate for the change to go live immediately or just leave it from here and wait for the next cron job to do it.