💾 Archived View for gem.twunk.uk › log › 2020-12-12-server-setup-2020.gmi captured on 2024-03-21 at 14:57:58. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-05-24)

-=-=-=-=-=-=-

Server Setup 2020

This entry was copied from my mostly-idle WWW blog since it is referenced from my more recent and still mostly-idle gemlog. I've converted it to text/gemini, but... only kinda. I didn't do it very carefully.

Server setup overview:

Firewall / nftables (etc)

[nftables](https://www.nftables.org/) for packet filtering. Manually configured:

Services

Why wireguard?

SSH should be strong if properly configured (and the _intention_ is to keep the SSH configuration strong), so why put it behind wireguard? A few reasons:

Why nftables?

nftables is used as a firewall. There are three questions here. Let's start from the easiest:

Why Hetzner?

It's the cheapest non-sketchy Cloud/VM provider I could find. Since I'm not looking to build anything with "High Availability" and I'm not interested in using the many scalable but expensive "managed services"/Cloud SaaS providers, running one or two cheap VMs that I manage myself is what I want.

Hetzner provides a few premade OS images to use; when you create the VM in the first place the only ones it presents you with are Debian (currently Debian 10), Fedora, CentOS, or Ubuntu. I have no prior experience with Fedora, so that's probably not a great idea for me. Ubuntu seems to always have its own weird variants of what everyone else is using (e.g., "Snap" based installs, and stuff), plus I don't really trust them not to have telemetry or advertising by default, so Ubuntu is out. I don't know why anyone would pick CentOS, I suppose there must be some reason, but it's not for me. So that leaves **Debian**. Hooray Debian! You may be old and stuck in your ways, but at least I can trust you to be sane and stable.

(Hetzner has some install ISOs for a bunch of other distros and also for some BSDs and stuff, but let's not worry about that).

Hetzner uses [cloud-init](https://cloud-init.io/) to inject an SSH key you provide into the VM when it's first set up, so the thing is initialised with a no-password root account that can only be accessed via pubkey SSH. Good.