💾 Archived View for gemini.leafstorm.org › en › gemlog › 2022-07-30-finally.gmi captured on 2023-03-20 at 17:29:25. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-01-29)
-=-=-=-=-=-=-
I finally set up my own capsule! It has taken much longer than I hoped and the technology went in a bit of a different direction. But it's running!
In my last gemlog article about the subject, I mentioned that I had set up a VPS on DigitalOcean running Molly Brown. In doing so I was reminded how much maintenance a VPS requires, and how broad the attack surface is. Around the same time a number of interesting articles about the new platform-as-a-service Fly appeared on Hacker News, and I noticed that they supported non-HTTP applications. When DigitalOcean increased their prices, I decided to take down the VPS and start over on Fly.
Matthew Phillips had the same idea
I decided that, at least to start with, I would use Agate and include the content of the site in the container image. Not running an SSH server, Titan uploader, or whatever, would simplify maintenance quite a bit, and running a build each time I update the site content is not a big deal. The Dockerfile downloads a pre-built Agate binary from GitHub, adds a launcher script, and then copies in my content. The container builds in less than a second, the image is only 73 MB (though I might be able to drive it lower...), and the server is only using ~40 MB of RAM at the moment.
The only sticking point was how to handle the TLS certificates. The Fly platform has an option for terminating TLS without using HTTPS, but only with Let's Encrypt certificates -- which expire after three months and present errors for clients that use only TOFU. My initial draft used a volume to store the certificates, which worked, but was quite wasteful: I had a 1 GB volume holding 591 bytes of key material. So I reconfigured it to get the certificate and key from a (base64-encoded) environment variable, which I stored in Fly's secret store.
This means that if someone compromises the server (say, through a CGI script) they can extract the cert and key with relative ease. Using Fly's TLS termination would be much safer, but that would require an option to import custom certificates. In the meantime, if I did implement a service with higher security exposure I would probably use a separate app to terminate TLS and communiate with the backend over Fly's internal networking.
All in all, I spent maybe three or four hours setting up the capsule's technical infrastructure. It took longer just to install Docker Desktop on Windows...
Writing about myself, particularly in the form of an "about me" page, feels odd. One day on the train I had the idea to reframe the capsule as if it were a text adventure of sorts, exploring my (fictitious) office.
In one sense this requires more effort: if I want to communicate something about myself, I have to think of a way to "show, not tell" it. But in another sense, it requires less: the task of description is concrete rather than abstract, and I have more "genre conventions" to lean on.
📅 July 30, 2022
📧 Email Matthew about this entry
📓 Flip to the table of contents
(C) 2022 Matthew Frazier. All rights reserved.