Post: Bringing all the projects under one roof

author: Mitja Felicijan <m@mitjafelicijan.com> 2023-07-01 19:54:11 +0200
committer: Mitja Felicijan <m@mitjafelicijan.com> 2023-07-01 19:54:11 +0200
commit: 47d2fc25bf97f7941131f8f23ab15dc3d1e16f47 (patch)
tree: 308c2dff3cb451555af7284f805a2fba16e9d9cd /content/posts
parent: 5c407433477a98f5a00c63062a96e6d816a9f73b (diff)
download: mitjafelicijan.com-47d2fc25bf97f7941131f8f23ab15dc3d1e16f47.tar.gz
1 files changed, 259 insertions, 0 deletions
diff --git a/content/posts/2023-07-01-bringing-all-of-my-projects-together-under-a-single-umbrella.md b/content/posts/2023-07-01-bringing-all-of-my-projects-together-under-a-single-umbrella.md
new file mode 100644
index 0000000..e103d32
--- /dev/null
+++ b/content/posts/2023-07-01-bringing-all-of-my-projects-together-under-a-single-umbrella.md
@@ -0,0 +1,259 @@
+---
+title: "Bringing all of my projects together under a single umbrella"
+url: bringing-all-of-my-projects-together-under-a-single-umbrella.html
+date: 2023-07-01T18:49:07+02:00
+draft: false
+---
+## What is the issue anyway?
+Over the years, I have accumulated a bunch of virtual servers on my
+[DigitalOcean](https://www.digitalocean.com/) account for small experimental
+projects I dabble in. And this has resulted in quite a bill. I mean, I wouldn't
+care if these projects were actually being used. But there were just being there
+unused and wasting resources. Which makes this an unnecessary burden on me.
+Most of them are just small HTML pages that have an endpoint or two to read data
+from or to, and for that reason I wrote servers left and right. To be honest,
+all of those things could have been done with [CGI
+scripts](https://en.wikipedia.org/wiki/Common_Gateway_Interface) and that would
+have been more than enough.
+Recently, I decided to stop language hopping and focus on a simpler stack which
+includes C, Go and Lua. And I can accomplish all the things I am interested in.
+## Finding a web server replacement
+Usually I had [Nginx](https://nginx.org/en/) in front of these small web servers
+and I had to manage SSL certificates and all that jazz. I am bored with these
+things. I don't want to manage any of this bullshit anymore.
+So the logical move forward was to find a solid alternative for this. I have
+ended up on [Caddy server](https://caddyserver.com/). I've used it in the past
+but kind of forgotten about it. What I really like about it is an ease of use
+and a bunch of out of the box functionalities that come with it.
+These are the _pitch_ points from their website:
+- **Secure by Default**: Caddy is the only web server that uses HTTPS by
+  default. A hardened TLS stack with modern protocols preserves privacy and
+  exposes MITM attacks.
+- **Config API**: As its primary mode of configuration, Caddy's REST API makes
+  it easy to automate and integrate with your apps.
+- **No Dependencies**: Because Caddy is written in Go, its binaries are entirely
+  self-contained and run on every platform, including containers without libc.
+- **Modular Stack**: Take back control over your compute edge. Caddy can be
+  extended with everything you need using plugins.
+I had just a few requirements:
+- Automatic SSL
+- Static file server
+- Basic authentication
+- CGI script support
+And the vanilla version does all of it, but CGI scripts. But that can easily be
+fixed with their modular approach. You can do this on their website and build a
+custom version of the server, or do it with Docker.
+This is a `Dockerfile` I used to build a custom server.
+```Dockerfile
+FROM caddy:builder AS builder
+RUN xcaddy build \
+  --with github.com/aksdb/caddy-cgi
+FROM caddy:latest
+RUN apk add --no-cache nano
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
+```
+## Getting rid of all the unnecessary virtual machines
+The next step was to get a handle on the number of virtual servers I have all
+over the place.
+I decided to move all the projects and services into two main VMs:
+- personal server (still Nginx)
+  - git server
+  - files static server
+  - personal blog
+- projects server (Caddy server)
+  - personal experiments
+  - other projects
+I will focus on projects' server in this post since it's more interesting.
+## Testing CGI scripts
+The first thing I tested was how CGI scripts work under Caddy. This is
+particularly import to me because almost all of my experiments and mini projects
+need this to work.
+To configure Caddy server, you must provide the server with a configuration
+file. By default, it's called `Caaddyfile`.
+```caddyfile
+{
+  order cgi before respond
+}
+examples.mitjafelicijan.com {
+  cgi /bash-test /opt/projects/examples/bash-test.sh
+  cgi /tcl-test /opt/projects/examples/tcl-test.tcl
+  cgi /lua-test /opt/projects/examples/lua-test.lua
+  root * /opt/projects/examples
+  file_server
+}
+```
+- The order is very important. Make sure that `order cgi before respond` is at
+  the top of the configuration file.
+- Also, when you run with Caddy v2, make sure you provide `adapter` argument
+  like this `/usr/bin/caddy run --watch --environ --config /etc/caddy/Caddyfile
+  --adapter caddyfile`. Otherwise, Caddy will try to use a different format for
+  config file.
+I did a small batch of tests with [Bash](https://www.gnu.org/software/bash/),
+[Tcl](https://www.tcl-lang.org/) and [Lua](https://www.lua.org/). Here is a
+cheat sheet if you need it.
+Let's get Bash out the way first.
+```bash
+#!/usr/bin/bash
+printf "Content-type: text/plain\n\n"
+printf "Hello from Bash\n\n"
+printf "PATH_INFO     [%s]\n" $PATH_INFO
+printf "QUERY_STRING  [%s]\n" $QUERY_STRING
+printf "\n"
+for i in {0..9..1}; do
+  printf "> %s\n" $i
+done
+exit 0
+```
+This one is for Tcl script.
+```tcl
+#!/usr/bin/tclsh
+puts "Content-type: text/plain\n"
+puts "Hello from Tcl\n"
+puts "PATH_INFO     \[$env(PATH_INFO)\]"
+puts "QUERY_STRING  \[$env(QUERY_STRING)\]"
+puts ""
+for {set i 0} {$i < 10} {incr i} {
+  puts "> $i"
+}
+```
+And for the final example, Lua.
+```lua
+#!/usr/bin/lua
+print("Content-type: text/plain\n")
+print("Hello from Lua\n")
+print(string.format("PATH_INFO     [%s]", os.getenv("PATH_INFO")))
+print(string.format("QUERY_STRING  [%s]", os.getenv("QUERY_STRING")))
+print()
+for i = 0, 9 do
+  print(string.format("> %d", i))
+end
+```
+## Basic authentication
+One thing was also to have an option for some sort of authentication, and
+something like [Basic access
+authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) would
+be more than enough.
+Thankfully, Caddy supports this out of the box already. Below is an updated
+example.
+```Caddyfile
+{
+    order cgi before respond
+}
+examples.mitjafelicijan.com {
+  cgi /bash-test /opt/projects/examples/bash-test.sh
+  cgi /tcl-test /opt/projects/examples/tcl-test.tcl
+  cgi /lua-test /opt/projects/examples/lua-test.lua
+  root * /opt/projects/examples
+  file_server
+  basicauth * {
+    bob $2a$14$/wCgaf9oMnmQa20txB76u.nI1AldGMBT/1J7fXCfgOiRShwz/JOkK
+  }
+}
+```
+`basicauth *` matches everything under this domain/sub-domain and protects it
+with Basic Authentication.
+- `bob` is the username
+- `hash` is the password
+To generate these passwords, execute `caddy hash-password` and this will prompt
+you to insert a password twice and spit out a hashed password that you can put
+in your configuration file.
+Restart the server and you are ready to go.
+## Making Caddy a service with systemd
+After the tests were successful, I copied `caddy` to `/usr/bin/caddy` and copied
+`Caddyfile` to `/etc/caddy/Caddyfile`.
+Now off to the systemd. Each systemd service requires you to create a service
+file.
+- I created a `/etc/systemd/system/caddy.service` and put the following content
+  in the file.
+```systemd
+[Unit]
+Description=Caddy
+Documentation=https://caddyserver.com/docs/
+After=network.target network-online.target
+Requires=network-online.target
+[Service]
+Type=notify
+User=root
+Group=root
+ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile --adapter caddyfile
+ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force --adapter caddyfile
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+LimitNPROC=512
+PrivateTmp=true
+ProtectSystem=full
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+[Install]
+WantedBy=multi-user.target
+```
+- Then I enabled the service with `systemctl enable caddy.service`.
+- And then I started the service with `systemctl start caddy.service`.
+This was about all that I needed to do to get it running. Now I can easily add
+new subdomains and domains to the main configuration file and be done with
+it. No manual Let's Encrypt shenanigans needed.
author	Mitja Felicijan <m@mitjafelicijan.com>	2023-07-01 19:54:11 +0200
committer	Mitja Felicijan <m@mitjafelicijan.com>	2023-07-01 19:54:11 +0200
commit	47d2fc25bf97f7941131f8f23ab15dc3d1e16f47 (patch)
tree	308c2dff3cb451555af7284f805a2fba16e9d9cd /content/posts
parent	5c407433477a98f5a00c63062a96e6d816a9f73b (diff)
download	mitjafelicijan.com-47d2fc25bf97f7941131f8f23ab15dc3d1e16f47.tar.gz

diff --git a/content/posts/2023-07-01-bringing-all-of-my-projects-together-under-a-single-umbrella.md b/content/posts/2023-07-01-bringing-all-of-my-projects-together-under-a-single-umbrella.md new file mode 100644 index 0000000..e103d32 --- /dev/null +++ b/content/posts/2023-07-01-bringing-all-of-my-projects-together-under-a-single-umbrella.md
@@ -0,0 +1,259 @@
	1	---
	2	title: "Bringing all of my projects together under a single umbrella"
	3	url: bringing-all-of-my-projects-together-under-a-single-umbrella.html
	4	date: 2023-07-01T18:49:07+02:00
	5	draft: false
	6	---
	7
	8	## What is the issue anyway?
	9
	10	Over the years, I have accumulated a bunch of virtual servers on my
	11	[DigitalOcean](https://www.digitalocean.com/) account for small experimental
	12	projects I dabble in. And this has resulted in quite a bill. I mean, I wouldn't
	13	care if these projects were actually being used. But there were just being there
	14	unused and wasting resources. Which makes this an unnecessary burden on me.
	15
	16	Most of them are just small HTML pages that have an endpoint or two to read data
	17	from or to, and for that reason I wrote servers left and right. To be honest,
	18	all of those things could have been done with [CGI
	19	scripts](https://en.wikipedia.org/wiki/Common_Gateway_Interface) and that would
	20	have been more than enough.
	21
	22	Recently, I decided to stop language hopping and focus on a simpler stack which
	23	includes C, Go and Lua. And I can accomplish all the things I am interested in.
	24
	25	## Finding a web server replacement
	26
	27	Usually I had [Nginx](https://nginx.org/en/) in front of these small web servers
	28	and I had to manage SSL certificates and all that jazz. I am bored with these
	29	things. I don't want to manage any of this bullshit anymore.
	30
	31	So the logical move forward was to find a solid alternative for this. I have
	32	ended up on [Caddy server](https://caddyserver.com/). I've used it in the past
	33	but kind of forgotten about it. What I really like about it is an ease of use
	34	and a bunch of out of the box functionalities that come with it.
	35
	36	These are the _pitch_ points from their website:
	37
	38	- Secure by Default: Caddy is the only web server that uses HTTPS by
	39	default. A hardened TLS stack with modern protocols preserves privacy and
	40	exposes MITM attacks.
	41	- Config API: As its primary mode of configuration, Caddy's REST API makes
	42	it easy to automate and integrate with your apps.
	43	- No Dependencies: Because Caddy is written in Go, its binaries are entirely
	44	self-contained and run on every platform, including containers without libc.
	45	- Modular Stack: Take back control over your compute edge. Caddy can be
	46	extended with everything you need using plugins.
	47
	48	I had just a few requirements:
	49
	50	- Automatic SSL
	51	- Static file server
	52	- Basic authentication
	53	- CGI script support
	54
	55	And the vanilla version does all of it, but CGI scripts. But that can easily be
	56	fixed with their modular approach. You can do this on their website and build a
	57	custom version of the server, or do it with Docker.
	58
	59	This is a `Dockerfile` I used to build a custom server.
	60
	61	```Dockerfile
	62	FROM caddy:builder AS builder
	63
	64	RUN xcaddy build \
	65	--with github.com/aksdb/caddy-cgi
	66
	67	FROM caddy:latest
	68	RUN apk add --no-cache nano
	69
	70	COPY --from=builder /usr/bin/caddy /usr/bin/caddy
	71	```
	72
	73	## Getting rid of all the unnecessary virtual machines
	74
	75	The next step was to get a handle on the number of virtual servers I have all
	76	over the place.
	77
	78	I decided to move all the projects and services into two main VMs:
	79
	80	- personal server (still Nginx)
	81	- git server
	82	- files static server
	83	- personal blog
	84	- projects server (Caddy server)
	85	- personal experiments
	86	- other projects
	87
	88	I will focus on projects' server in this post since it's more interesting.
	89
	90	## Testing CGI scripts
	91
	92	The first thing I tested was how CGI scripts work under Caddy. This is
	93	particularly import to me because almost all of my experiments and mini projects
	94	need this to work.
	95
	96	To configure Caddy server, you must provide the server with a configuration
	97	file. By default, it's called `Caaddyfile`.
	98
	99	```caddyfile
	100	{
	101	order cgi before respond
	102	}
	103
	104	examples.mitjafelicijan.com {
	105	cgi /bash-test /opt/projects/examples/bash-test.sh
	106	cgi /tcl-test /opt/projects/examples/tcl-test.tcl
	107	cgi /lua-test /opt/projects/examples/lua-test.lua
	108
	109	root * /opt/projects/examples
	110	file_server
	111	}
	112	```
	113
	114	- The order is very important. Make sure that `order cgi before respond` is at
	115	the top of the configuration file.
	116	- Also, when you run with Caddy v2, make sure you provide `adapter` argument
	117	like this `/usr/bin/caddy run --watch --environ --config /etc/caddy/Caddyfile
	118	--adapter caddyfile`. Otherwise, Caddy will try to use a different format for
	119	config file.
	120
	121	I did a small batch of tests with [Bash](https://www.gnu.org/software/bash/),
	122	[Tcl](https://www.tcl-lang.org/) and [Lua](https://www.lua.org/). Here is a
	123	cheat sheet if you need it.
	124
	125	Let's get Bash out the way first.
	126
	127	```bash
	128	#!/usr/bin/bash
	129
	130	printf "Content-type: text/plain\n\n"
	131
	132	printf "Hello from Bash\n\n"
	133	printf "PATH_INFO [%s]\n" $PATH_INFO
	134	printf "QUERY_STRING [%s]\n" $QUERY_STRING
	135	printf "\n"
	136
	137	for i in {0..9..1}; do
	138	printf "> %s\n" $i
	139	done
	140
	141	exit 0
	142	```
	143
	144	This one is for Tcl script.
	145
	146	```tcl
	147	#!/usr/bin/tclsh
	148
	149	puts "Content-type: text/plain\n"
	150
	151	puts "Hello from Tcl\n"
	152	puts "PATH_INFO \[$env(PATH_INFO)\]"
	153	puts "QUERY_STRING \[$env(QUERY_STRING)\]"
	154	puts ""
	155
	156	for {set i 0} {$i < 10} {incr i} {
	157	puts "> $i"
	158	}
	159	```
	160
	161	And for the final example, Lua.
	162
	163	```lua
	164	#!/usr/bin/lua
	165
	166	print("Content-type: text/plain\n")
	167
	168	print("Hello from Lua\n")
	169	print(string.format("PATH_INFO [%s]", os.getenv("PATH_INFO")))
	170	print(string.format("QUERY_STRING [%s]", os.getenv("QUERY_STRING")))
	171	print()
	172
	173	for i = 0, 9 do
	174	print(string.format("> %d", i))
	175	end
	176	```
	177
	178	## Basic authentication
	179
	180	One thing was also to have an option for some sort of authentication, and
	181	something like [Basic access
	182	authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) would
	183	be more than enough.
	184
	185	Thankfully, Caddy supports this out of the box already. Below is an updated
	186	example.
	187
	188	```Caddyfile
	189	{
	190	order cgi before respond
	191	}
	192
	193	examples.mitjafelicijan.com {
	194	cgi /bash-test /opt/projects/examples/bash-test.sh
	195	cgi /tcl-test /opt/projects/examples/tcl-test.tcl
	196	cgi /lua-test /opt/projects/examples/lua-test.lua
	197
	198	root * /opt/projects/examples
	199	file_server
	200
	201	basicauth * {
	202	bob $2a$14$/wCgaf9oMnmQa20txB76u.nI1AldGMBT/1J7fXCfgOiRShwz/JOkK
	203	}
	204	}
	205	```
	206
	207	`basicauth *` matches everything under this domain/sub-domain and protects it
	208	with Basic Authentication.
	209
	210	- `bob` is the username
	211	- `hash` is the password
	212
	213	To generate these passwords, execute `caddy hash-password` and this will prompt
	214	you to insert a password twice and spit out a hashed password that you can put
	215	in your configuration file.
	216
	217	Restart the server and you are ready to go.
	218
	219	## Making Caddy a service with systemd
	220
	221	After the tests were successful, I copied `caddy` to `/usr/bin/caddy` and copied
	222	`Caddyfile` to `/etc/caddy/Caddyfile`.
	223
	224	Now off to the systemd. Each systemd service requires you to create a service
	225	file.
	226
	227	- I created a `/etc/systemd/system/caddy.service` and put the following content
	228	in the file.
	229
	230	```systemd
	231	[Unit]
	232	Description=Caddy
	233	Documentation=https://caddyserver.com/docs/
	234	After=network.target network-online.target
	235	Requires=network-online.target
	236
	237	[Service]
	238	Type=notify
	239	User=root
	240	Group=root
	241	ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile --adapter caddyfile
	242	ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force --adapter caddyfile
	243	TimeoutStopSec=5s
	244	LimitNOFILE=1048576
	245	LimitNPROC=512
	246	PrivateTmp=true
	247	ProtectSystem=full
	248	AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
	249
	250	[Install]
	251	WantedBy=multi-user.target
	252	```
	253
	254	- Then I enabled the service with `systemctl enable caddy.service`.
	255	- And then I started the service with `systemctl start caddy.service`.
	256
	257	This was about all that I needed to do to get it running. Now I can easily add
	258	new subdomains and domains to the main configuration file and be done with
	259	it. No manual Let's Encrypt shenanigans needed.