This is my first post on my new site, I hope someone finds it helpful!

    • @h0bbl3sOP
      link
      4
      edit-2
      5 months ago

      I know I know. If you wanna install certbot another way feel free. Share it with me I’m sure it’ll take up less space. I only did it that way because it’s the certbot official©®™ instructions. That and I had issues with the other method I tried.

        • @h0bbl3sOP
          link
          15 months ago

          Hah did not know about that thanks!

          • keisatsu
            link
            fedilink
            English
            15 months ago

            Yeah it took a while for me to find as well, Debian moved to managing alot of packages you used to install with pip. In many cases you can just prefix pip packages with python3- and find them via apt.

            • @h0bbl3sOP
              link
              15 months ago

              I knew that worked for a lot of stuff. That used to be what I’d try first but I honestly just use a venv for pretty much anything that uses pip nowadays. Still helpful to know there is a package though thanks! I intend to test it out.

      • @mostlikelyaperson
        link
        85 months ago

        Another thing you could check out is Caddy, comes with a lot of stuff onboard and has an optional crowdsec module (though I should point out that I never used that module myself so I can’t make guarantees how well it works) https://caddyserver.com/

        • @h0bbl3sOP
          link
          15 months ago

          Excellent thank you! I’ll check this out.

      • exu
        link
        fedilink
        English
        75 months ago

        I can really recommend acme.sh if you wanted to try a certbot alternative.

        • lemmyvore
          link
          fedilink
          English
          25 months ago

          Or a docker image with Nginx Proxy Manager. You get a working reverse proxy, an automatically renewing certbot, easy to use UI, plus a working nginx install that you can use for serving static files, forward proxy etc.

        • @h0bbl3sOP
          link
          15 months ago

          Awesome I’ll look into it for sure!

        • @h0bbl3sOP
          link
          25 months ago

          I’ve got plenty of experience with docker and I’ve heard of traefik but never used it. Thanks, I’m gonna look into it.

      • Possibly linux
        link
        fedilink
        English
        35 months ago

        It is in the official repos

        sudo apt-get install certbot
        

        You also can use a container

        • @h0bbl3sOP
          link
          25 months ago

          I could have swore I tried it. facepalm I’ll check that out then I might edit that part.

  • moonleay
    link
    fedilink
    English
    4
    edit-2
    5 months ago

    Hey,

    cool seeing another bearblog in the wild (I also use Hugo + Bear for my blog).

    Quick question: Why do you deploy the Hugo dev server and don’t build your page to static HTML?

    • @h0bbl3sOP
      link
      3
      edit-2
      5 months ago

      Awesome it is good to see the bearblog getting some love. Just to keep it short mostly. I was debating adding another article continuing this one using nginx for that part. I could add a section to this one though. Or would you use something other than nginx, I’m open to suggestions. I checked yours out, it’s a bit snappier than mine :) . What are you running?

      • nickwitha_k (he/him)
        link
        fedilink
        25 months ago

        I’d love to see more on something like Envoy as the reverse proxy. I tend to think of reverse proxies in “generations”:

        1. Apache and Friends
        2. Nginx and Buddies
        3. HAProxy and Pals
        4. Envoy and Associates

        I’m rather familiar with 0-2 from my previous work. It’s really a pity, to me, that nginx is favored so heavily over HAProxy as in all perf and HA testing that I’ve done has resulted in nginx being left in the dust. The benchmarks that I’ve seen for Envoy show similar standings. I just haven’t spent the time yet to get familiar with it.

      • moonleay
        link
        fedilink
        English
        2
        edit-2
        5 months ago

        I use CI to compile the page and add it to nginx, which I then build into a docker container. Once it’s finished, I deploy it to my server and it gets served by traefik.

        That’s another thing I was curious about. Is there a reason why you didn’t use docker?

        You mentioned in another comment, that you used snap, because it is used in the official certbot instructions. Did you intend this to be 100% faithful to official docs?

        • @h0bbl3sOP
          link
          2
          edit-2
          5 months ago

          Nice. I might have to clone that setup for fun. What do you use for CI? I’ve got jenkins running but I’ve been wanting to play with gitlab CI/CD too.

          I do a lot of my dev work in docker containers, simply so I’m in a clean environment. Doesn’t hurt in ease of backup either. No particular reason not to use docker, I also wanted to keep it kind of brief and simple. The guide I originally read that inspired me had a lot of things that were very outdated, and as I worked through getting it working on debian 12 I generally stuck with the source providers instructions when things weren’t already packaged for dpkg, or alternatives were more complex.

          I am currently mulling around doing extensions on this guide and adding links at the bottom, or just extending this one a bit. Also just thinking about writing a guide for other stuff too. I’ve been helping people on discord and irc a bit recently and some of what I know might be useful to someone.

          I don’t know everything by any means far from it, but I’ve been around since my first beOS and slackware installs a long time ago and I’ve picked up a lot. I worked developing and deploying pfsense images for a company years ago and have just had a lot of random experience in linux and bsds over the years.

            • @h0bbl3sOP
              link
              1
              edit-2
              5 months ago

              😱 I had no idea. I just went and read through that wow. I hope they don’t sell to someone scummy.

  • @[email protected]
    link
    fedilink
    English
    45 months ago

    Is it just as secure doing this (with crowdsec) vs hosting on a rented server from a cloud provider?

    • @h0bbl3sOP
      link
      45 months ago

      My site is on a rented server at digital ocean. Some providers do more or less to protect you themselves though. I don’t think digital ocean does much monitoring or protecting, I’ve had servers on there compromised in the past that would have been caught by my current setup. It can’t hurt in any case.

      I also run crowdsec on my home setup but I don’t have any open ports at home and never get alerts. I had suricata running and plugged into crowdsec as well so it would handle blocking for both, but suricata never got to get any action with crowdsec blocking malicious activity, so I disabled it to save resources.

      • @[email protected]
        link
        fedilink
        English
        25 months ago

        I don’t mean about relying on the protection from these providers. I am talking about the inherent increased security of hosting on a server that’s on a different network than your local network.

        • @h0bbl3sOP
          link
          15 months ago

          Oh gotcha. It was late when I replied :p. You absolutely get security with a layer of separation from hosting remotely. I monitor my home network and have a similar setup but I don’t host anything from here. I never get attacked or probed at all compared to my remote server. Just having those open ports makes you a target. Once a few scanners pick up on you hosting content you will absolutely start getting attacked. Another benefit is you don’t have to have any passwords on your remote host, just an ssh key. They can bruteforce all they want, good luck without a zero day. You also keep your personal IP address out of peoples scope by not hosting from the local network.

          I used to run much heavier protection on my home network, but after keeping an eye on all the logs and alerts for a while I realized I was just wasting ram and storage space mostly. Sane firewall settings is enough for a typical home, and something like crowdsec is probably overkill.

          Now if you are hosting stuff it’s a different story. I would actually harden my local network MORE than I did the remote one due to much more of my personal stuff being on my local network. My remote host being compromised would be a mild hassle at most, It does self backups once a week, and I have my entire site in a private git repo I sync to. It would take a few minutes to throw up another server, if my home stuff got compromised a lot more damage could be done.