💾 Archived View for paritybit.ca › sysadmin › openbsd-server-overview.gmi captured on 2022-07-16 at 13:41:57. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-03-01)
-=-=-=-=-=-=-
All paritybit.ca services (except Misskey) run off of a single OpenBSD VPS.
This article gives an overview of the rationale and list of services running. Setup details are in the following article:
/sysadmin/openbsd-server-details.gmi
Get used to minimalism and security: componentised, privilege-separated binaries in file-system jails. Most of all, forget your instincts to search Google and StackExchange for every parameter and function call: man pages are your new best friend.
OpenBSD ships with sensible and secure defaults. OpenBSD has excellent documentation: I can use the system to learn about the system instead of looking things up on half-baked, SEO-optimized, outdated articles. OpenBSD has straightforward and easy to manage system components (daemons, init system, updating, etc). OpenBSD doesn't randomly break or unexpectedly change things out from under you when there's an update (they let you know about changes well in advance of you needing to upgrade). OpenBSD ships with a set of useful, well-written programs that make setting up a server a breeze (httpd, acme-client, relayd, etc.).
To summarize: OpenBSD isn't a pain.
I wanted to run everything from home to avoid paying for a VPS, but this came with its own set of drawbacks. I would be unable to experiment with things on my home network without taking down my public-facing services, there is no IPv6 access from my ISP, the bandwidth is limited so if someone wanted to download a larger file from me or many people were accessing my site at once my own internet access would suffer, and the cost of a relatively powerful VPS is €3.99/month which is very affordable.
The VPS runs on a Hetzner CPX11 which has:
This amount of resources is about double than what the things I publicly host use, but it leaves room for more services and I didn't want to go lower than 2 vCPUs so that the server would be able to deal with influxes of traffic.
The total cost is €3.99/month which is approximately CAD$5.80/month; less than a USD$5/month VPS with providers like Vultr and Linode for better hardware.
The server hosts: an http server, a gemini server, a finger server, a git server, and a file sharing server.
The HTTP server uses OpenBSD's httpd which is very easy to configure and very light on resources.
I chose Solène Rapenne's vger as my gemini server. It uses OpenBSD's inetd to handle incoming connections and OpenBSD's relayd for TLS.
OpenBSD's inetd is used to call OpenBSD's fingerd.
The "git server" is really nothing more than a git daemon to handle cloning/fetching/pulling and stagit to generate static pages for each repository so code and changes can be browsed from a web browser. SSH is used to push changes to the server, and the git daemon is invoked using OpenBSD's inetd.
The file server is hosted over HTTP also using httpd. Although the subdomain is "ftp", the ftp daemon is not active as it doesn't actually provide any benefit or use over just serving files with HTTP. There are no users who need to upload their own files to the server and httpd and ftpd chroot to different locations which would complicate administration.
All of these services are run on the host machine. No "containers", "jails", or virtual machines are used. This was done intentionally to eliminate those as points of failure and administration headaches for a server that simply does not need to take advantage of those technologies.
This server is not backed up. Configuration files are saved both here in this wiki (the content of which is in a git repository also hosted on sourcehut) and on my personal computer. If those are lost, they are easy to re-create anyways. All data on the server already lives in git repositories which are on sourcehut, my own machines, and the server itself. Files served by the file server are not critical and also already exist on my local machines. It is trivial to wipe away the server and re-create it so I have no need to pay extra for automated backups or tarsnap usage.
Whenever updates are done or some significant change is needed, I can manually create a snapshot of the VPS in Hetzner's online console.
Mail is set up using the configuration described in: