For some time I have been thinking about moving my personal data away from cloud service providers and into my own infrastructure. This became especially important when it was revealed that the US government had backdoors into most of the large US tech companies. I spend my life on the Internet, so changing how I use it will not be an easy task. Cloud services provided by companies like Google, Yahoo, Microsoft, Dropbox, etc. make it easy and usually free to have your data always available on every device. I just started this blog on my new personal server. Let’s go over what I’ve done so far. This is not intended to be a detailed tutorial. You can follow the individual tutorials that I will link to, just like I did.
My server is a DigitalOcean “droplet.” I got the cheapest option they have, for $6 per month with backups ($5 without). This is a virtual private server (VPS), meaning they give me root access to a virtual machine with a public IP address. I chose to have my droplet hosted in their Amsterdam data center because it is outside US territory. I also chose the “LAMP on Ubuntu 12.04” machine image because I’m comfortable with Ubuntu.
I’m essentially renting space on another company’s computer, so I still don’t have total control over my data, but it’s better than before.
The first thing I did was follow the “Getting Started” and “Securing Your Server” tutorial on Linode’s website. When you’re running your own server and services on it, security is serious business. A lack of attention to security issues, or just a mistake, can have serious consequences. The number one reason for security problems in software is bad configuration, not bad code. I’m not an expert in tech ops, so I try to follow instructions as closely as I can.
The $5 droplet is a low-power machine with only 512 MB of memory, and a 20 GB disk. So far, it’s been plenty powerful, and I think it will continue to be fine in the future, unless this blog starts generating large amounts of traffic. In that case, I can move the blog onto its own droplet with more power.
I am picky about my shell. I like to use zsh with the oh-my-zsh extension installed. Installing this is just a matter of running the one-liner listed on the oh-my-zsh README. I’m going to be spending a lot of time logged into my droplet over SSH, and I already spend a lot of time doing command line work on my local machine. I wanted the shell prompt on my droplet to make it immediately obvious to me that I was not working locally. I modified the “phillips” theme that comes with oh-my-zsh to be just the way I like it. I called the new theme “connell“. It shows your username, machine name, and the deepest 5 levels of the directory tree that you’re in. It does all of this with a minimum of extra characters.
I had a personal website hosted by a traditional web host, which worked well for me for a long time. I never had any problems with them, but since I was now running my own server, I wanted to host my website myself. I decided to switch over to WordPress from a custom site in the process, so I could blog. At the same time, I bought a domain name for my girlfriend and offered to host her site myself as well.
First, I needed to get my domain name pointing at my new server. I updated the nameserver entries with my registrar to point to DigitalOcean’s nameserver, and then added an A record on their nameservers to get to my server’s IP. I did the same with my girlfriend’s new domain. As always, this can take a day to propagate.
I wanted a legitimate SSL certificate so I could use my site securely. StartSLL offers free certificates that browsers will accept, and they verify that you are in control of the domain you’re signing. There is a series of steps that StartSSL makes you go through. When asked, I generated my own private key and certificate request, rather than allowing StartSSL to do it for me, since that would defeat the purpose of a private key.
I chose to use Apache for my web server since I am already comfortable configuring it. I set up 3 virtual hosts inside Apache. On port 80, I have a virtual host for unencrypted traffic to my site. I have a NamedVirtualHost for traffic on port 80 to my girlfriend’s domain. Apache will discriminate traffic based on the domain requested. These two virtual hosts obviously point to different document roots, each underneath our home folders. Another virtual host is for encrypted traffic on port 443 to my main site. This points to the same document root as my first virtual host did. You can follow this tutorial about how to set up SSL on Apache.
I chose to use WordPress to run my website because it’s easy, looks good, and I was familiar with installing it. I had to create a new database in MySQL, create a new user in MySQL, and give them access to that database. Then I moved the WordPress files into my website’s document root. The tricky part was getting file permissions right. I needed to set the group of every file and directory in the WordPress directory, as well as the root directory itself, to belong to group
sudo chgrp -R www-data <document_root>). The files already had group write permission, so this allowed WordPress to modify its own files, which is generally necessary. It’s also a good idea to install the package
libssh2-php so that WordPress can SCP into your server to upgrade itself.
Considering all that could have gone wrong and given me headaches, everything went pretty smoothly. I don’t know if things have gotten better since a few years ago, but every problem I encountered was easily fixed with a fairly obvious configuration change. This was pleasantly refreshing, since I’m used to pulling my hair out wondering why something won’t work. So far I’ve got a server running, configured securely, and I’m running a public web site. This was a very good first dive into dealing with server administration. I use Google for email and calendar, and Dropbox for file storage. In my next post, I’ll talk about moving my data out of their servers and into my own.