Login
Channel Apps
Channel About Photos Files Calendar Wikis
System Apps
Directory Help Language Random Channel Report Bug Search
[Markdown] 

self hosting architecture (draft): Home

Self-hosting architecture

an attempt at building stuff for app-easy self-hosting

Concept:

  • coop has cluster of tcp reverse high-available proxy servers (e.g. haproxy)
  • coop configures hostnames in DNS to point to reverse proxy servers
  • backend of proxy serves can be
    • hosted at home
    • hosted at coop
    • one can be the backup of the other thanks to nomadic identity
    • based on nixos in a container => fully reproducible

Architecture

-- HA1 - haproxy tcp reverse proxy ---- Sa1 Sa2 Sa3 ...
                                   \ /
-- HA2 - haproxy tcp reverse proxy---- Sb1 Sb2 Sb3 ...

  • Haproxy: host-based routing to local port P, mapped to ssh tunnel

    TODO: calculation of port P

  • Application level redundancy (nomadic identity) -Servers maintain SSH tunnels to both reverse proxies

Server setup

Nixos container: https://nixcademy.com/posts/nixos-nspawn/

WIP on nixos config

Goal: hubzilla (LAMP + php code) + mariadb backup

nixos config:

[root@nixos:~]# cat /etc/nixos/configuration.nix
{ pkgs, modulesPath, ... }:

{
  imports = [
    (modulesPath + "/profiles/minimal.nix")
    ./nspawn-image.nix
  ];

  boot.isContainer = true;
  networking.hostName = "nixos";

  # activate Nix Flakes
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';

  environment.systemPackages = with pkgs; [
    git
    vim
    wget
  ];

  system.stateVersion = "23.11";

  # Set an initial password here or at runtime do `machinectl shell nixos` and
  # run `passwd` there.
  users.users.root.initialHashedPassword = "";

  # Pascal - add openssh server if remote access is needed ONLY
  services.openssh.enable = true;

  # Pascal - run garbage collector daily
  nix.gc.automatic  = true;
  nix.gc.dates  = "12:15";

}

after making changes: nixos-rebuild switch

TODO: learn to make a derivation to install hubzilla

Onboarding

Context

username e.g. myname@nubo.coop

S = hash to short value to find server to host U = hash to long value to store on server as ssh username

servers have hostname S horizontal scaling of servers S

hosting system S: generate salt = SSalt

Resources

db of username <-> U

Processes:

frontend: haproxy redirecting by host => port P backend: ssh server run by U on port X (TODO how to calculate?), with public key of U in authorized_keys

Onboarding:

check that username hashes to S, if not : WARNING (could be ok if username changed => U & S changed)

self-hosted system:

calculate S from username (or ask central server to calculate S from username?) maintain ssh session with username U to server S on port P and tunnel 80 & 443 to self-hosted system put public key of user U on hosting system S runs nixos-based container with application listening on port 80 & 443 (no openssh server)

onboarding for a new username:

  • calculate S ask S if U already exists Yes: collision => expand length of domain of S e.g. expand to another byte & add "0" to all existing S in lookup algorithm No: ask S to add U & add to db