[-] kayson@alien.top 1 points 11 months ago

Also docker repo but mainly because I use Jeff Geerlings ansible role for installing docker. I pin the version, so it's not really much different from using the Debian repo

[-] kayson@alien.top 1 points 1 year ago

Thanks! Any suggestions for WAF options? At the moment I just have nginx with fail2ban

[-] kayson@alien.top 1 points 1 year ago

Why do you need a reverse proxy? You don't need one to access Jellyfin externally. People use them to simply fit access when running more than one service.

I'd get it up and running locally first before trying it on a vps.

1
submitted 1 year ago by kayson@alien.top to c/main@selfhosted.forum

I'm deploying a nodejs-based website for someone. It will be low traffic, but I want to make sure I've got all my bases covered in terms of best practices for deployment and security. This is what I've got so far:

  • Code is hosted in private repo on private gitea instance
    • build into a docker image
  • Separate repo for all deployment code using ansible
    • secrets are saved in a vault and templated to the host
  • Runs on dedicated host with dedicated ipv4
  • host has fail2ban installed and firewalled to only allow ports 80/443 and shh
  • ssh hardened
    • non-standard port
    • public key auth only
  • images are run on docker
    • non-root user
    • one network for app+db, another for app+reverse proxy
    • only mapped ports are 80/443 on reverse proxy container
  • using swag for reverse proxy (includes fail2ban and letsencrypt)
    • php disabled
  • backups
    • database dumped nightly
    • everything synced to backblaze (wip)

What else should I be doing? The one thing I know I don't have is any monitoring. I'm going to set up some kind of healthcheck, but not sure if there's anything easy to set up wrt log monitoring...

Thanks!

kayson

joined 1 year ago