Note: In this post I mention some problems and ask questions (to myself, like “thinking aloud”). The goal is not to get answers to those questions (I suppose that I will find them soon or later in the internet, manuals and so), but to show the kind of problems and questions that arise in my selfhosting adventures, which I suppose are common to other people trying to administer a home server with some web services.
Am I an userop? Well I’m something in the middle of (GNU/Linux) user and sysadmin: I have studied computer technical engineering but most of my experience has been in helpdesk, providing support for Windows users. I’m running Debian in some LAMP boxes at work (without GUI) since 2008 or so, and in my desktops (with GUI) since 2010. I don’t code nor package, but I don’t mind trying to read code and understand it (or not). I know a bit of C, a bit of Python, of PHP, and enough Perl to open a Perl file and close it after two minutes, understanding that it’s great, but too much for me 🙂 I translate software, so I’m not scared to clone a repository, edit files, commit or submit a patch. I’m not scared of compiling a program (except if it’s an Android app: I try to avoid setting up the development environment just to try some translation that I made… but I built my Puma before it was the binary available for download or in F-Droid).
In conclusion, I feel more like a “GNU/Linux power user” than a “sysadmin”. Sometimes just a “user” or even a “newbie” (for example, I don’t know very well the Unix/Linux folder tree… where are the wallpapers stored? Does it depend on the desktop that I use?).
Anyway. I won’t stop my free software + free networks digital life because I don’t know many things. I bought a small server for home last September, and I wanted to try to selfhost some services, for me and for my family. I want to be a “home sysadmin” or something like that, so I joined the “userops” mailing list 🙂
Here you have my experiences on selfhosting/being an userop until now.
I even didn’t try to setup my mail server, because many people say it’s a pain (although nice articles were published about how to do it, for example this series in ArsTechnica) and I need a static IP which is 14€/month more to my ISP, and Gandi, the place where I rented my domain name, provides mail, and they use Debian and Roundcube, and sponsor Debian too, so I decided to trust on them.
So this is my strategy now, to try to keep mail under my control:
- Trust my domain provider.
- Backup my mail and keep local copies, removing sensible stuff from the server.
- Use and spread the word about GPG encryption.
- Try not to send photos or videos by mail, just send the link to my MediaGoblin instance (see below).
MediaGoblin
I’ve setup two MediaGoblin instances (yes, two!). I managed to do it in Debian 7 stable (I think NodeJS’ npm was not needed then), but soon later I upgraded to Jessie so now it’s even better.
I installed Nginx and PostgreSQL via apt, to use them for both instances (and probably some more software later).
One instance is public, and I use a Debian user, a PostgreSQL database, and it’s running in http://media.larjona.net
I have requested an SSL cert to Gandi but I still didn’t deployed it (lazy LArjona!!).
The other instance is private, for family photos. I didn’t know very well how much of my existing setup could reuse and how to keep both instances in case of downtimes or attack… I know more or less the concept or “chroot” but I don’t know how to deploy it in my machine. So I decided to use another Debian user, another PostgreSQL database, deploy MediaGoblin in a different folder, and create another virtual server in my Nginx to serve it. I managed to setup that virtual server to http-authenticate and to serve content via a different port, and use a self-signed SSL certificate (it’s only for family, so it does not matter). I created another (unprivileged) Debian user with a password for the nginx authentication, and gave my family the URL in the form https://mediaprivate.larjona.net:PortNumber and the user and password (mediaprivate is a string, and PortNumber is a number). I think they don’t use the instance too much, but at least I upload photos there from time to time and email the link instead of emailing the photos themselves (they don’t use GPG either…).
Upgrades
I upgraded MediaGoblin from 0.7.1 to 0.8.0 successfully, I sent a report about how I did it to the mailing list. First I upgraded the public instance, when I figure out the process, I upgraded the second instance to test my instructions, and then, I sent the report with the instructions to the mailing list.
Static site and LimeSurvey: the power of free software (with instructions)
I wanted to act as a mirror of floss2013.libresoft.es and surveys.libresoft.es since they suffer a downtime and I participated in that project (not in the sysadmin part, but in the research and content creation).
The static site floss2013.libresoft.es offered a zip with the whole website tree (since the website was licensed as AGPL), and I had access to the git repo holding the development copy of the website. So I just cloned the repository and setup another nginx virtual server in my machine, and tuned my DNS zone in Gandi website to serve floss2013.larjona.net from home. 10 minutes setup YAY! #inGitWeTrust #FreeSoftwareFTW 🙂
For surveys.larjona.net I had to install a LimeSurvey instance. I knew how to do it because we use LimeSurvey at work, but at home I had Nginx instead of Apache, and PostgreSQL instead of MySQL. And no PHP… I searched about how to install PHP in Nginx (I can use apt-get, nice!) and how to install LimeSurvey with Nginx and PostgreSQL (I had documentation about that, so I followed, and it worked).
For making available the data (one survey and its results, so people can login as visitor to query and get statistics), I downloaded the LimeSurvey export dataset that we were providing in the static website, followed the replication instructions (hey, I wrote them!), and they worked #oleole! (And here, dear researchers, gets demonstrated that free software and free culture really empower your research and help spreading your results).
Etherpad: not so easy, it seems!
I’m trying to install Etherpad-Lite, but I’m suffering a bit. I think I did everything ok according to some guides but I get “Bad Gateway” and these kind of errors when trying to browse with Lynx in the host:
[error] 3615#0: *24 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 127.0.0.1, server: pad.larjona.net, request: "GET / HTTP/1.0", upstream: "http://127.0.0.1:9001/", host: "pad.larjona.net" 2015/04/17 20:52:56 [error] 3615#0: *24 connect() failed (111: Connection refused) while connecting to upstream, client: 127.0.0.1, server: pad.larjona.net, request: "GET / HTTP/1.0", upstream: "http://[::1]:9001/", host: "pad.larjona.net"
I’m not sure if I need to open some port in iptables, my router, or change my nginx configuration because the guides assume you’re only serving one website in the port 80 (and I have several of them, now…), or what… I’ve spent three chunks of time (maybe ~2h each?) on this, in different days, and couldn’t figure it out, so I decided to round-robin in my TODO list.
Userops thoughts
Debian brings peace of mind (for me)
On one side, maintaining a Debian box it’s quite easy, and the more software that it’s packaged, the less time that I spend installing or upgrading. I like being in stable, I’m in Jessie now (I migrated when it was frozen), but I’ll stay in stable as much as I can.
I like that I can use the software that I installed via apt-get for several services (nginx, PostgreSQL…). About the software that is not packaged (MediaGoblin, LimeSurvey, EtherPad, maybe others later), I wonder how dependencies and updates are handled. And maybe (probably) I have installed some components several times, one for each service (this sounds like a Windows box #grr).
For example MediaGoblin uses PyPump. PyPump 0.5 is packaged in Debian Jessie. MediaGoblin uses PyPump 0.7+. What if PyPump 0.7+ gets, let’s say, into Jessie-backports? Can I benefit from that?
I know that MediaGoblin upgrade instructions includes upgrading the dependencies, but what about some security patch in one dependency? Should I upgrade the pip modules periodically? How to know if some upgrade is recommended because patches a vulnerability, or it’s just new features (and maybe breaking my setup)?
This kind of things are the “peace of mind” that Debian packaging brings to me: when some piece of software is packaged, I know maybe I need to care about proper setup and configuration, but later, it’s kind-of-easy to maintain (since the Debian maintainers care about the rest). I don’t mind about cloning a repo and compiling, I mind about later, or coexistance with other program/services. I trust in the MediaGoblin community and I’m an active member (I’m not developer, but hang on IRC, follow the mailing list, etc) but for example I don’t know anything about the EtherPad project. And I don’t feel like joining the community (I’m already an active member in Debian, MediaGoblin, F-Droid, Pump.io, translator of LimeSurvey and many other small apps that I use, and in the future will use more services, like OwnCloud, XMPP…), joining the community of each software that I use is becoming not sustainable :s
Free software is more than software
I follow the userop mailing list, and it’s becoming very technical. I mostly understand the problems (which are similar to the problems that I face: how to isolate different services, how to easily-configure them, how to make them installable by average user…) But I don’t understand most of the solutions proposed, and I think that probably we need technical solutions, but in the meanwhile, some issues can be addressed not with software, but with other means: good documentation, community support, translations, beta-testers…
This is my conclusion until now. When a project is well documented, I think I can find my way to selfhost no matter if the software is packaged (or “contained”) or not. MediaGoblin, and LimeSurvey, are well documented, and the user support channels are very responsive.
I find lots of instructions that assume that you will use a whole machine for their service (and not for other things). And lots of documentation for the LAMP stack, but not for Nginx + PostgreSQL and Node instead of PHP… So, for each “particularity” of my setup, I search the internet and try to pick good sources to help me do what I wanted to do.
I’m kind of privileged
Some elements, not software related, to take into account as “pre-requisites for succeed” selfhosting services:
- I knew what to search.
- I knew which sites to visit from the results (arch wiki, debian wiki, stack overflow, etc: some of them were not the Top1 in the results).
- I had time to read several sources and make my mind about what to do and how.
- I can read, understand, and write in English.
- I have no fear about my broken English.
- I have no impostor syndrome.
- I felt welcome in the FLOSS communities where I hanged out.
These aspects are not present in a lot of people. If I look around to the “computer users” that I know (mostly Windows+Android, some GNU/Linux users, some Mac OSX users, some iOS users), I find that they search things like “X does not work” or they cannot write a proper search query in English. Or they trust some random person writing a recipe in their blog, without trying first to understand what the recipe does. Other people just say “I’m not a professional sysadmin, I’ll just do what «everybody» does (aka use Google services or whatever). What if I try and I don’t succeed?”. Things like that.
We may need some technical solutions (and hackers are thinking about that, and working on that). But I feel that we need (more) a huge group of beta-testers, dogfooding people, aventurers that try the half-cooked solutions and provide successful and unsuccessful experiences, to guide the research and make software technologies advance. I’m not sure if I am an userop, but I feel part of that “vanguard force”, I want to be part of the future of free software and free networks.
Comments?
You can comment about this post on this pump.io thread.
The bright side 