rogs

OpenCode as a server: AI agents that work while I sleep

Thu, 02 Apr 2026 00:00:00 +0000

My main machine is a beast. Ryzen 9 9950X3D, 64 GB of RAM, RX 9060 XT, three monitors, the works. It barely ever shuts off. So at some point I started thinking: why isn’t this thing working for me when I’m not sitting in front of it?

The answer is now: it does. I’m running OpenCode as a persistent server on this machine, accessible from anywhere through my WireGuard VPN. I can spin up coding sessions from my MacBook Air, my phone, wherever. And the best part? I have scheduled jobs that run overnight: adding tests, updating documentation, enforcing code conventions. I wake up to PRs waiting for my review.

Here’s the full setup.

The architecture

 ┌─────────────────────────────────────────────────────────┐
│ roger-beast │
│ (Ryzen 9 9950X3D / 64GB) │
│ │
│ ┌──────────────────┐ ┌──────────────────────┐ │
│ │ opencode serve │◀─────│ systemd user service │ │
│ │ :4096 (web UI) │ │ (auto-start/restart) │ │
│ └────────┬─────────┘ └──────────────────────┘ │
│ │ │
│ │ ┌──────────────────────┐ │
│ │ │ opencode-scheduler │ │
│ │ │ (systemd timers) │ │
│ │ │ ┌──────────────────┐ │ │
│ │ │ │ 2am: add tests │ │ │
│ │ │ │ 3am: update docs │ │ │
│ │ │ │ 4am: conventions │ │ │
│ │ │ └──────────────────┘ │ │
│ │ └──────────────────────┘ │
│ │ │
└───────────┼─────────────────────────────────────────────┘
│
┌───────┴──────────────┐
│ Nginx Proxy │
│ Manager │
│(opencode.example.com)│
└───────┬──────────────┘
│
┌─────────┴──────────┐
│ WireGuard VPN │
│ / Local Network │
└─────────┬──────────┘
│
┌────────┴────────┐
│ │
┌──┴───┐ ┌─────┴──────┐
│ 💻 │ │ 📱 │
│ MBA │ │ Phone │
└──────┘ └────────────┘

The idea is simple: OpenCode runs as a systemd user service, Nginx Proxy Manager gives it a nice domain, and WireGuard makes sure only my devices can reach it. From any browser on any device, I just go to opencode.example.com and I’m in.

Phase 1: OpenCode server with systemd

OpenCode has a serve command that starts a web UI you can access from a browser. The trick is making it persistent so it survives reboots and restarts itself if it crashes.

First, create a systemd user service. This means it runs as your user, not as root, which is important because it needs access to your home directory, your API keys, your OpenCode config, everything.

Create the file at ~/.config/systemd/user/opencode.service:

[Unit]
Description=OpenCode headless server
After=network.target

[Service]
ExecStart=/home/roger/.opencode/bin/opencode serve --hostname 0.0.0.0 --port 4096
Restart=on-failure
RestartSec=5

[Install]
WantedBy=default.target

A few things to note:

--hostname 0.0.0.0 makes it listen on all interfaces, not just localhost. This is necessary so that Nginx Proxy Manager (or other devices on your network) can reach it.
--port 4096 is arbitrary. Pick whatever you want, just make sure it doesn’t conflict with anything else.
Restart=on-failure with RestartSec=5 means if OpenCode crashes, systemd will bring it back up after 5 seconds. I’ve never had it crash, but it’s nice to know it’s there.
WantedBy=default.target means it starts on login. Since this machine barely ever restarts, that’s basically “always on.”

Enable and start it:

systemctl --user daemon-reload
systemctl --user enable opencode.service
systemctl --user start opencode.service

Verify it’s running:

systemctl --user status opencode.service

You should see it active and running. If you want the service to keep running even when you’re not logged in (which you probably do, since the whole point is that it runs when you’re away), you need to enable lingering:

sudo loginctl enable-linger roger

Replace roger with your username. This tells systemd to keep your user services running even after you log out. Without this, systemd kills your user services when your last session closes, which defeats the entire purpose.

At this point, you should be able to open http://localhost:4096 on the machine and see the OpenCode web UI.

Sweet, sweet OpenCode

Phase 2: Nginx Proxy Manager + WireGuard

I use Nginx Proxy Manager as my reverse proxy. It’s a Docker-based GUI for managing Nginx configs, SSL certificates, and proxy hosts. If you prefer raw Nginx configs, you can absolutely do that instead, the concept is the same: point a domain at the OpenCode port.

In Nginx Proxy Manager, I created a new proxy host:

Domain: opencode.example.com
Scheme: http
Forward Hostname/IP: 192.168.x.x (the local IP of my machine)
Forward Port: 4096
Websockets Support: enabled (OpenCode’s web UI uses websockets)

For the access part, I don’t need to worry too much about authentication because the domain is only accessible from two places:

My local network: If I’m at home, my devices are already on the same network as the machine.
My WireGuard VPN: If I’m remote, I connect to my WireGuard VPN first, which puts me on the same network. My WireGuard setup is the same one I described in my Claude Code from the beach post.

The DNS for opencode.example.com points to the internal IP of the machine running Nginx Proxy Manager. This means the domain simply doesn’t resolve from the public internet. You’d have to be on my network (or VPN) for it to go anywhere.

Phase 3: Accessing from anywhere

This is the satisfying part. Once the server is running and the proxy is configured, the workflow from any device is:

Connect to WireGuard (if I’m not already home)
Open a browser
Go to opencode.example.com
Done. Full OpenCode web UI, all my agents, all my MCP servers, everything.

From my MacBook Air at a coffee shop, from my phone on the couch, doesn’t matter. The web UI is the same everywhere. I can start a task on my MacBook, close the laptop, pick it up on my phone later, and everything is still there because the server is running on the beast at home.

This pairs really nicely with my Claude Code from the beach setup, but it’s way friendlier. That setup uses mosh + tmux + SSH bridges through Termux to get a terminal on a remote machine. It works great for Claude Code (which is a TUI), but it’s a lot of moving parts: you need Termux, SSH keys on your phone, a jump box, mosh installed everywhere. If something breaks in the chain, you’re debugging SSH configs from a phone keyboard. I wrote a whole blog post about that setup and I’m proud of it, but let’s be real: the fact that I needed an entire blog post to explain how to use Claude Code from my phone is kind of the problem.

With OpenCode, I just open a browser. That’s it. Any browser, on any device. No Termux, no SSH keys, no jump box, no terminal emulator. My phone’s regular browser works perfectly. My MacBook’s browser works perfectly. If I ever get a tablet, that’ll work too. The barrier to entry went from “install Termux, configure SSH, set up mosh, create fish aliases” to “open Firefox.”

Hey Anthropic, if you’re reading this: please give Claude Code a web UI. I love your tool, I pay $100/month for it, but the fact that OpenCode can do this out of the box and Claude Code can’t is… not great. I shouldn’t need a 600-word phase-by-phase guide to use my coding agent from my phone. Just saying. 🙃

I still use the Claude Code + mosh + tmux setup for Claude Code specifically (since it’s terminal-only), but for OpenCode work, the web UI is a massive quality-of-life upgrade for mobile coding.

Phase 4: The overnight crew

This is my favorite part. The server runs 24/7, so why not put it to work while I sleep?

I use the opencode-scheduler plugin, which lets you schedule recurring jobs using your OS’s native scheduler (systemd timers on Linux, launchd on Mac). It’s an OpenCode plugin, so you set it up directly from the OpenCode UI.

First, add the plugin to your opencode.json:

{
 "plugin": ["opencode-scheduler"]
}

Then, from the OpenCode UI, you just tell it what you want in natural language:

Schedule a job that runs every weekday at 2am and runs the test-gap-pr-cronjob skill

The plugin takes care of creating the systemd timer and service under ~/.config/systemd/user/. You can verify it’s installed with:

systemctl --user list-timers | grep opencode

What my overnight jobs do

I have three scheduled jobs that run between 1 AM and 6 AM while I’m sleeping. Each one uses a custom OpenCode skill (similar to the planning/execution/review agents I described on my AI Toolbox page):

2 AM - Test gap finder: Scans the codebase for untested or under-tested code, writes the missing tests, and opens a PR.
3 AM - Documentation updater: Checks for outdated or missing docstrings and README sections, updates them, and opens a PR.
4 AM - Convention enforcer: Reviews code for style and convention violations that linters don’t catch (naming patterns, architectural decisions, etc.), fixes them, and opens a PR.

Each job uses a custom skill that knows the project’s conventions, testing patterns, and documentation style. The skills are the same kind of custom agents I build for my regular OpenCode workflow, just triggered on a schedule instead of manually.

The morning routine

When I log in in the morning, I usually have 1-3 PRs waiting for me. Most of them are good to go with minor tweaks. Some need more work. Either way, the tedious stuff (writing tests for edge cases, updating docstrings, fixing inconsistent naming) is already done, and I just need to review it.

It’s like having a junior developer who works the night shift. They’re not perfect, but they’re reliable, they don’t complain, and they’re surprisingly good at the boring stuff.

You can check the logs for any job at any time:

# From the OpenCode UI
Show logs for test-gap-pr-cronjob

# Or directly on disk
cat ~/.config/opencode/logs/test-gap-pr-cronjob.log

The specs

For anyone curious about the machine running all of this:

OS: Manjaro Linux 26.0.4
Host: B850M Pro-A WiFi
Kernel: 6.12.77-1-MANJARO
CPU: AMD Ryzen 9 9950X3D (32) @ 5.752GHz
GPU: AMD ATI Radeon RX 9060 XT GAMING OC 16G
Memory: 64 GB DDR5
Network: WiFi 6
Uptime: usually measured in days, not hours

The machine is wildly overpowered for this. OpenCode’s server uses barely any resources when idle, and even during active sessions or scheduled jobs, it doesn’t break a sweat. If you have a less powerful machine that stays on, this setup will work fine for you too.

Conclusion

The whole setup took maybe 30 minutes. A systemd service, a proxy host, and a scheduler plugin. That’s it.

What I love about this is that it extends my AI Toolbox in a way I didn’t expect. I went from “I use OpenCode when I’m at my desk” to “OpenCode is always running and I can use it from anywhere, and it also does work for me while I sleep.” The scheduled jobs alone have saved me hours of tedious work every week.

If you have a machine that stays on (even a modest home server or an old laptop), you can do this. You don’t need a Ryzen 9 or 64 GB of RAM. You need a machine that doesn’t turn off, a way to reach it remotely, and the willingness to let AI handle the boring stuff while you’re asleep.

All my configs are public in my dotfiles: git.rogs.me/rogs/dotfiles

If you have questions, hit me up. And if you set this up and wake up to PRs you didn’t write, let me know. That first morning is a great feeling.

See you in the next one!

How I deploy my projects to a single VPS with Gitea, NGINX and Docker

Sun, 15 Mar 2026 00:00:00 +0000

Hello everyone 👋

A few weeks ago, the team behind Jmail (a Gmail-styled interface for browsing the publicly released Epstein files) shared that they had racked up a $46,485 bill on Vercel The site had gone viral with ~450 million pageviews, and Vercel’s pricing structure turned that into a five-figure invoice. Vercel’s CEO ended up covering the bill personally, which is nice, but not exactly a scalable solution 😅

When I saw that story, my first thought was: this is an efficiency problem. Jmail is essentially a search interface on top of mostly static content. An SRE on Hacker News mentioned they handle 200x Jmail’s request load on just two Hetzner servers. The whole thing could have been served from a moderately sized VPS for a fraction of the cost.

That got me thinking about my own setup. I run everything on a single VPS: my blog, my side projects, my git server, analytics, a wiki, a forum, a secret sharing tool, and more. The whole thing is held together by NGINX, Gitea, some bash scripts, and Docker. No Kubernetes, no Terraform, no CI/CD platform with a $500/month bill. Just a cheap VPS, some config files, and a deployment flow that’s simple enough that I can fix it from my phone at the beach (I’ve written about that before).

I get asked about my deployment setup more often than I expected, so I figured I’d write it all down. Let me walk you through the whole thing.

The VPS

I’m running a Hetzner Cloud CPX21 in Nuremberg, Germany. Here are the specs:

Spec	Value
vCPUs	3
RAM	4 GB
Disk	80 GB SSD
OS	Ubuntu
Price	~€7-8/month

The CPX21 is one of Hetzner’s shared vCPU instances. It’s cheap, reliable, and more than enough for what I need. I’m usually sitting at around ~10% CPU and ~2GB RAM, so there’s plenty of headroom.

I set up the VPS manually. No Ansible, no configuration management, just plain old SSH and installing things by hand. I know, I know, “infrastructure as code” and all that. But for a single server that I manage myself, the overhead of automating the setup isn’t worth it. If the server dies, I can set it up again in a couple of hours and restore from backups.

What’s running on it

Here’s everything running on this single VPS:

Bare metal (directly on the server)

Service	Purpose
Gitea	Self-hosted git server
NGINX	Web server / reverse proxy
Certbot	SSL/TLS certificates
PHP-FPM	For WordPress sites
DokuWiki	Personal wiki
fail2ban	Brute force protection
UFW	Firewall
A couple WordPress sites	Various projects

Docker

Service	Purpose
ntfy	Push notifications
shhh	Secret sharing
SearXNG	Privacy-respecting search engine
WireGuard	VPN
phpBB	YAMS community forum
Umami	Privacy-respecting analytics
Gitea Actions runner	CI/CD runner
Watchtower	Automatic Docker image updates

Static sites (Hugo, served by NGINX)

Site	Purpose
rogs.me	This blog!
montevideo.restaurant	Restaurant directory
yams.media	YAMS documentation site

That’s a lot of stuff for a 4GB VPS. But static sites are basically free in terms of resources, and the Docker services are all lightweight. The heaviest things are probably Gitea and the WordPress sites, and even those barely register.

The web server: NGINX

Every site and service gets its own NGINX config file in /etc/nginx/conf.d/. One file per site, nice and clean. No sites-available / sites-enabled symlink dance.

Here’s what a typical config looks like for one of my Hugo sites:

server {
 root /var/www/rogs.me;
 index index.html;

 server_name rogs.me;

 location / {
 try_files $uri $uri/ =404;
 }

 listen 443 ssl; # managed by Certbot
 ssl_certificate /etc/letsencrypt/live/rogs.me/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/rogs.me/privkey.pem;
 include /etc/letsencrypt/options-ssl-nginx.conf;
 ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

server {
 if ($host = rogs.me) {
 return 301 https://$host$request_uri;
 }

 server_name rogs.me;
 listen 80;
 return 404;
}

Nothing fancy. Serve files from /var/www/rogs.me, redirect HTTP to HTTPS, done. The SSL bits are all managed by Certbot (more on that later).

For Docker services, the config looks slightly different because NGINX acts as a reverse proxy:

server {
 server_name analytics.rogs.me;

 location / {
 proxy_pass http://localhost:3000;
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 }

 listen 443 ssl; # managed by Certbot
 # ... SSL config same as above
}

Same pattern: one file per service, NGINX handles SSL termination, and proxies to whatever port the Docker container exposes on localhost.

SSL/TLS with Let’s Encrypt

All certificates come from Let’s Encrypt via Certbot. I installed it with apt and used the NGINX plugin:

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d rogs.me

Certbot modifies the NGINX config automatically to add the SSL directives (that’s why you see those # managed by Certbot comments).

Certificates auto-renew daily at 3 AM via a cron job:

0 3 * * * certbot renew -q

The -q flag keeps it quiet: no output unless something goes wrong. Certbot is smart enough to only renew certificates that are close to expiring, so running it daily is fine.

Self-hosted git with Gitea

I use Gitea as my primary git server. It runs bare metal on the VPS (not in Docker) and lives at git.rogs.me.

Why Gitea instead of just using GitHub? I want to own my git infrastructure. GitHub is great for collaboration, but I like having control over where my code lives. If GitHub goes down or decides to change their terms, my repos are safe on my own server.

That said, I mirror everything to both GitHub and GitLab so other people can collaborate, open issues, and submit PRs. Best of both worlds: I own the primary, and the mirrors handle the social coding side.

Gitea Actions

Gitea has a built-in CI/CD system called Gitea Actions that’s compatible with GitHub Actions workflows. The runner is the official gitea/act_runner Docker image, running on the same VPS. Pretty vanilla setup, no custom configuration.

This is the core of my deployment pipeline. Every time I push to master, Gitea Actions picks up the workflow and deploys the site.

Deploying Hugo sites

This is where it all comes together. All three of my Hugo sites follow the exact same deployment pattern. Here’s the flow:

 ┌──────────┐ push ┌──────────┐ Gitea Actions ┌──────────┐
│ Local │────────────────▶ │ Gitea │ ────────────────────▶│ Runner │
│ machine │ │(git.rogs)│ │ (Docker) │
└──────────┘ └──────────┘ └────┬─────┘
│
SSH into same VPS
│
▼
┌──────────┐
│ VPS │
│ git pull │
│ build.sh │
└────┬─────┘
│
Hugo builds to
/var/www/domain/
│
▼
┌──────────┐
│ NGINX │
│ serves │
└──────────┘

Yes, the Gitea Actions runner SSHes into the same server it’s running on. I know that’s a bit redundant, but I designed it this way on purpose: if I ever move my hosting somewhere else (or switch back to GitHub Actions), the workflow doesn’t need to change. The SSH target is just a secret, so I swap an IP address and everything keeps working.

The Gitea Actions workflow

Here’s the workflow file that lives in .gitea/workflows/deploy.yml in each repo:

name: deploy

on:
 push:
 branches:
 - master

jobs:
 deploy:
 runs-on: ubuntu-latest
 steps:
 - name: Deploy via SSH
 uses: appleboy/ssh-action@v1
 with:
 host: ${{ secrets.SSH_HOST }}
 username: ${{ secrets.SSH_USER }}
 key: ${{ secrets.SSH_PRIVATE_KEY }}
 port: ${{ secrets.SSH_PORT }}
 script: |
 cd repo && git stash && git pull --force origin master && ./build.sh

It’s beautifully simple:

Push to master triggers the workflow
The runner uses appleboy/ssh-action to SSH into the server
On the server: stash any local changes, pull the latest code, and run the build script

The git stash is there as a safety net. The WebP conversion in the build script modifies tracked files (more on that in a second), so without the stash, git pull would complain about dirty working tree.

All four secrets (SSH_HOST, SSH_USER, SSH_PRIVATE_KEY, SSH_PORT) are configured in Gitea’s repository settings. The SSH key has access to the server but is locked down to only what the deployment needs.

The build script

Every Hugo site has a build.sh in the repo root. Here’s the one for this blog:

#!/bin/bash

# Convert all images to WebP for better performance
for file in $(git ls-files --others --cached --exclude-standard \
 | grep -v '.git' \
 | grep -E '\.(png|jpg|jpeg)$'); do
 cwebp -lossless "$file" -o "${file%.*}.webp"
done

# Update all references from png/jpg/jpeg to webp
for tracked_file in $(git ls-files --others --cached --exclude-standard \
 | grep -v '.git'); do
 sed -i 's/\.png/.webp/g' "$tracked_file"
 sed -i 's/\.jpg/.webp/g' "$tracked_file"
 sed -i 's/\.jpeg/.webp/g' "$tracked_file"
done

# Build the site
hugo -s . -d /var/www/rogs.me/ --minify --cacheDir $PWD/hugo-cache

Three things happen here:

Image optimization: Every PNG, JPG, and JPEG gets converted to WebP using cwebp (lossless mode, so no quality loss). WebP files are significantly smaller than their originals.
Reference rewriting: All file references get updated from .png / .jpg / .jpeg to .webp. This is why we need git stash in the workflow; this step modifies tracked files.
Hugo build: Generates the static site with minification enabled and outputs it directly to /var/www/rogs.me/. NGINX is already configured to serve from that directory, so the site is live immediately.

The --cacheDir flag keeps Hugo’s build cache in the repo directory, which speeds up subsequent builds.

Each site’s build.sh is essentially identical, just with a different output path (montevideo.restaurant, yams.media, etc.).

Variations across sites

While the pattern is the same, there are small differences:

yams.media has a two-job workflow: a test_build job runs Hugo in a Docker container first to make sure the build succeeds, and only then does the deploy job run. This is because the YAMS docs site has more contributors, so I want to catch build errors before they hit production.
yams.media also uses --cleanDestinationDir and --gc flags for a cleaner build output.

Docker services and Watchtower

Most of my non-static services run in Docker with docker-compose. Each service has its own directory in /opt/:

/opt/
├── analytics.rogs.me/ # Umami
│ └── docker-compose.yml
├── ntfy/
│ └── docker-compose.yml
├── shhh/
│ └── docker-compose.yml
├── searx/
│ └── docker-compose.yml
└── ...

For updates, I use Watchtower. It runs as a Docker container itself and periodically checks if there are newer images available for my running containers. If there are, it pulls the new image, stops the old container, and starts a new one with the same configuration.

version: "3"
services:
 watchtower:
 image: containrrr/watchtower
 volumes:
 - /var/run/docker.sock:/var/run/docker.sock
 restart: unless-stopped

Is this a bit risky? Sure. An automatic update could break something. But in practice, it hasn’t failed me once, and the services I’m running are stable enough that breaking changes in Docker images are rare. For a personal setup, the convenience of never having to manually update containers is worth the small risk.

Security

I’m not running a bank here, but I do take basic security seriously:

UFW (Uncomplicated Firewall): Only NGINX ports (80, 443) and SSH are open. Everything else is blocked.
fail2ban: Watches SSH logs and bans IPs after too many failed login attempts. Essential if your SSH port is exposed to the internet.
SSH keys only: Password authentication is disabled. If you don’t have the key, you’re not getting in.
Let’s Encrypt everywhere: Every site and service gets HTTPS. No exceptions.
Docker services on localhost: All Docker containers bind to localhost. They’re only accessible through the NGINX reverse proxy, which handles SSL termination.

# Quick UFW setup
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 'Nginx Full'
sudo ufw allow ssh
sudo ufw enable

DNS

All my domains use Cloudflare for DNS. But only DNS for most of them. I’m not using Cloudflare’s CDN or proxy features on my main sites. The DNS records point directly to my VPS IP with the proxy toggle set to “DNS only” (the grey cloud, not the orange one).

Why Cloudflare for DNS? Two reasons. First, it’s free, fast, and the dashboard is easy to use. Second, and more importantly: if something goes wrong, I can switch to using Cloudflare’s full proxy and DDoS protection with the flick of a button. Just toggle the grey cloud to orange and you’re behind Cloudflare’s network instantly.

I’ve already had to do this once. forum.yams.media (the YAMS community forum) was getting DDoSed and swarmed by bots constantly. Flipping that toggle to orange solved the problem immediately. The rest of my sites run without Cloudflare’s proxy because they don’t need it, but knowing I can turn it on in seconds gives me peace of mind.

Backups

This is the part that most people skip. Don’t be most people.

My backup strategy has two stages:

 ┌─────────────┐ 11 PM cron ┌───────────────────┐
│ VPS │ ───────────────▶│ /home/backups/ │
│ (services) │ tar + GPG │ (encrypted .gpg) │
└─────────────┘ └─────────┬─────────┘
│
midnight cron
(SSH pull)
│
▼
┌──────────────────┐
│ Home Server │
│ (NAS + S3) │
└──────────────────┘

Stage 1: Backup on the VPS (11 PM)

Every night at 11 PM, a series of cron jobs run backup scripts for each service. Each script follows the same pattern:

#!/bin/bash

BACKUP_DIR="/home/backups/servicename"
TARGET_DIR="/path/to/service"
DATE=$(date +%Y-%m-%d-%s)
BACKUP_FILE="$BACKUP_DIR/backup-servicename-$DATE.tar.zst"
ENCRYPTED_FILE="$BACKUP_FILE.gpg"
LOG_FILE="/var/log/backup_servicename.log"
GPG_RECIPIENT="your-email@example.com"

log_message() {
 echo "$(date +'%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE"
}

log_message "=== Starting backup ==="

mkdir -p "$BACKUP_DIR"

# For Docker services: stop containers first
docker compose stop

# Create compressed archive
tar -caf "$BACKUP_FILE" -C "$TARGET_DIR" .

# Encrypt with GPG
gpg --encrypt --armor -r "$GPG_RECIPIENT" -o "$ENCRYPTED_FILE" "$BACKUP_FILE"
rm -f "$BACKUP_FILE" # Remove unencrypted version

# For Docker services: restart containers
docker compose up -d

log_message "=== Backup completed ==="

Key points:

Compression: I use tar.zst (Zstandard) for compression. It’s faster than gzip and produces smaller files.
Encryption: Every backup gets GPG-encrypted before it touches the network. Even if someone gets access to the backup files, they’re useless without my private key.
Docker services: For services running in Docker, the script stops the containers before backing up to ensure data consistency, then starts them again. This causes a brief downtime (usually a few seconds), which is fine for personal services at 11 PM.
Database dumps: For services with databases (like Gitea, which uses MySQL), the script dumps the database separately with mysqldump before creating the archive.
Logging: Every step is logged to /var/log/, so I can check if something went wrong.

Stage 2: Pull to home server (midnight)

At midnight, my home server SSHes into the VPS and pulls all the encrypted backup files to my local NAS. From there, they also get pushed to an S3 bucket.

This gives me the classic 3-2-1 backup strategy: 3 copies of the data (VPS, NAS, S3), on 2 different media types, with 1 offsite copy. If Hetzner’s datacenter burns down, I have everything locally. If my house burns down, I have everything in S3.

Monitoring

I run Uptime Kuma on my home server to monitor all my services. It checks every site and service periodically and sends me a notification (via ntfy, naturally) if something goes down.

It’s not fancy, but it works. I’ve caught a few issues before anyone else noticed them, which is the whole point.

The big picture

Here’s what the whole setup looks like:

 ┌─────────────────────────────────────────────────────────┐
│ Hetzner CPX21 │
│ │
│ ┌─────────┐ ┌──────────────────────────────────┐ │
│ │ Gitea │ │ NGINX │ │
│ │ Actions │ │ ┌──────────┐ ┌──────────────┐ │ │
│ │ Runner │ │ │ Static │ │ Reverse │ │ │
│ │ (Docker) │ │ │ sites │ │ proxy to │ │ │
│ └────┬─────┘ │ │/var/www/ │ │ Docker svcs │ │ │
│ │ │ └──────────┘ └──────────────┘ │ │
│ │ SSH │ ▲ │ │ │
│ │ └────────┼──────────────┼──────────┘ │
│ │ │ │ │
│ ▼ │ ▼ │
│ ┌─────────┐ ┌───────┐ ┌───────────┐ │
│ │ Git │──build──│ Hugo │ │ Docker │ │
│ │ repos │ │ sites │ │ services │ │
│ └─────────┘ └───────┘ └───────────┘ │
│ │
│ ┌─────────────┐ ┌──────────┐ ┌────────────┐ │
│ │ Gitea │ │ Certbot │ │ fail2ban │ │
│ │ (bare metal)│ │ (SSL) │ │ + UFW │ │
│ └─────────────┘ └──────────┘ └────────────┘ │
└─────────────────────────────────────────────────────────┘

Conclusion

The whole philosophy here is simplicity. There’s no orchestration tool, no container registry, no deployment platform. It’s just:

Push code to Gitea
A workflow SSHes into the server
Git pull + bash script builds the site
NGINX serves it

Could I make this more sophisticated? Sure. Could I use Ansible to manage the server config, or Kubernetes to orchestrate the containers, or a proper CI/CD platform with build artifacts and rollbacks? Absolutely. But for a personal setup that hosts a blog, some side projects, and a handful of services, this is more than enough.

The setup has been running for years with minimal maintenance. The most time I spend on it is writing backup scripts for new services and adding NGINX configs when I deploy something new. Everything else is automated: deployments, SSL renewals, Docker updates, backups.

If you’re thinking about self-hosting your projects, my advice is: start simple. A VPS, NGINX, and a bash script can take you surprisingly far. You can always add complexity later if you need it, but in my experience, you probably won’t.

If you have questions about any part of this setup, feel free to reach out on the Contact page. I’m always happy to help people get started with self-hosting.

See you in the next one!

Adding analytics to my blog

Wed, 18 Feb 2026 00:00:00 +0000

Hey everyone, quick heads up: I’m adding analytics to the blog.

Before you reach for your adblocker, hear me out. I’m using Umami, which is open source, privacy-respecting, and doesn’t use cookies. It doesn’t track you across sites, doesn’t collect personal data, and is fully open source so you can verify that yourself.

On top of that, I’m self-hosting it on my own infrastructure, so the data never touches a third party. No Google Analytics, no Cloudflare analytics, no one else sees anything.

I mainly want to know which posts are actually useful to people and which ones are just me yelling into the void. That’s it.

If you have any questions or concerns, you know where to find me on the Contact page.

Use your Claude Max subscription as an API with CLIProxyAPI

Fri, 13 Feb 2026 00:00:00 +0000

So here’s the thing: I’m paying $100/month for Claude Max. I use it a lot, it’s worth it. But then I wanted to use my subscription with my Emacs packages — specifically forge-llm (which I wrote!) for generating PR descriptions in Forge, and magit-gptcommit for auto-generating commit messages in Magit. Both packages use the llm package, which supports OpenAI-compatible endpoints.

The problem? Anthropic blocks OAuth tokens from being used directly with third-party API clients. You have to pay for API access separately. 🤔

That felt wrong. I’m already paying for the subscription, why can’t I use it however I want?

Turns out, there’s a workaround. The Claude Code CLI can use OAuth tokens. So if you put a proxy in front of it that speaks the OpenAI API format, you can use your Max subscription with basically anything that supports OpenAI endpoints. And that’s exactly what CLIProxyAPI does.

Your App (Emacs llm package, scripts, whatever)
↓
HTTP Request (OpenAI format)
↓
CLIProxyAPI
↓
OAuth Token (from your Max subscription)
↓
Anthropic API
↓
Response → OpenAI format → Your App

No extra API costs. Just your existing subscription. Sweet!

Why CLIProxyAPI and not something else?

I actually tried claude-max-api-proxy first. It worked! But the model list was outdated (no Opus 4.5, no Sonnet 4.5), it’s a Node.js project that wraps the CLI as a subprocess, and it felt a bit… abandoned.

CLIProxyAPI is a completely different story:

Single Go binary. No Node.js, no Python, no runtime dependencies. Just download and run.
Actively maintained. Like, very actively. Frequent releases, big community, ecosystem tools everywhere (desktop GUI, web dashboard, AUR package, Docker images, the works).
Multi-provider. Not just Claude: it also supports Gemini, OpenAI Codex, Qwen, and more. You can even round-robin between multiple OAuth accounts.
All the latest models. It uses the full dated model names (e.g., claude-sonnet-4-20250514), so you’re always up to date.

What you’ll need

An active Claude Max subscription ($100/month). Claude Pro works too, but with lower rate limits.
A machine running Linux or macOS.
A web browser for the OAuth flow (or use --no-browser if you’re on a headless server).

Installation

Linux

There’s a community installer that does everything for you: downloads the latest binary to ~/cliproxyapi/, generates API keys, creates a systemd service:

curl -fsSL https://raw.githubusercontent.com/brokechubb/cliproxyapi-installer/refs/heads/master/cliproxyapi-installer | bash

macOS

Homebrew. Easy:

brew install cliproxyapi

Authenticating with Claude

Before the proxy can use your subscription, you need to log in:

# Linux
cd ~/cliproxyapi
./cli-proxy-api --claude-login

# macOS (Homebrew)
cliproxyapi --claude-login

This opens your browser for the OAuth flow. Log in with your Claude account, authorize it, done. The token gets saved to ~/.cli-proxy-api/.

If you’re on a headless machine, add --no-browser and it’ll print the URL for you to open elsewhere:

./cli-proxy-api --claude-login --no-browser

Configuration

The installer generates a config.yaml with random API keys. These are keys that clients use to authenticate to your proxy, not Anthropic keys.

Here’s what I’m running:

# Bind to localhost only since I'm using it locally
host: "127.0.0.1"

# Server port
port: 8317

# Authentication directory
auth-dir: "~/.cli-proxy-api"

# No client auth needed for local-only use
api-keys: []

# Keep it quiet
debug: false

The important bit is api-keys: []. Setting it to an empty list disables client authentication, which means any app on your machine can hit the proxy without needing a key. This is fine if you’re only using it locally.

If you’re exposing the proxy to your network (e.g., you want to hit it from your phone or another machine), keep the generated API keys and also set host: "" so it binds to all interfaces. You don’t want random people on your network burning through your subscription.

Starting the service

Linux (systemd)

The installer creates a systemd user service for you:

systemctl --user enable --now cliproxyapi.service
systemctl --user status cliproxyapi.service

Or just run it manually to test first:

cd ~/cliproxyapi
./cli-proxy-api

macOS (Homebrew)

brew services start cliproxyapi

Testing it

Let’s make sure everything works:

# List available models
curl http://localhost:8317/v1/models

# Chat completion
curl -X POST http://localhost:8317/v1/chat/completions \
 -H "Content-Type: application/json" \
 -d '{
 "model": "claude-sonnet-4-20250514",
 "messages": [{"role": "user", "content": "Say hello in one sentence."}]
 }'

# Streaming (note the -N flag to disable curl buffering)
curl -N -X POST http://localhost:8317/v1/chat/completions \
 -H "Content-Type: application/json" \
 -d '{
 "model": "claude-sonnet-4-20250514",
 "messages": [{"role": "user", "content": "Say hello in one sentence."}],
 "stream": true
 }'

If you get a response from Claude, you’re golden. 🎉

Using it with Emacs

This is the fun part. Both forge-llm and magit-gptcommit use the llm package for their LLM backend. The llm package has an OpenAI-compatible provider, so we just need to point it at our proxy.

Setting up the llm provider

First, make sure you have the llm package installed. Then configure an OpenAI provider that points to CLIProxyAPI:

(require 'llm-openai)

(setq my/claude-via-proxy
 (make-llm-openai-compatible
 :key "not-needed"
 :chat-model "claude-sonnet-4-20250514"
 :url "http://localhost:8317/v1"))

That’s it. That’s the whole LLM setup. Now we can use it everywhere.

forge-llm (PR descriptions)

I wrote forge-llm to generate PR descriptions in Forge using LLMs. It analyzes the git diff, picks up your repository’s PR template, and generates a structured description. To use it with CLIProxyAPI:

(use-package forge-llm
 :after forge
 :config
 (forge-llm-setup)
 (setq forge-llm-llm-provider my/claude-via-proxy))

Now when you’re creating a PR in Forge, you can hit SPC m g (Doom) or run forge-llm-generate-pr-description and Claude will write the description based on your diff. Using your subscription. No API key needed.

magit-gptcommit (commit messages)

magit-gptcommit does the same thing but for commit messages. It looks at your staged changes and generates a conventional commit message. Setup:

(use-package magit-gptcommit
 :after magit
 :config
 (setq magit-gptcommit-llm-provider my/claude-via-proxy)
 (magit-gptcommit-mode 1)
 (magit-gptcommit-status-buffer-setup))

Now in the Magit commit buffer, you can generate a commit message with Claude. Again, no separate API costs.

Any other llm-based package

The beauty of the llm package is that any Emacs package that uses it can benefit from this setup. Just pass my/claude-via-proxy as the provider. Some other packages that use llm: ellama, ekg, llm-refactoring. They’ll all work with your Max subscription through the proxy.

Using it with other tools

Since CLIProxyAPI speaks the OpenAI API format, it works with anything that supports custom OpenAI endpoints. The magic three settings are always the same:

Base URL: http://localhost:8317/v1
API key: not-needed (or your proxy key if you have auth enabled)
Model: claude-sonnet-4-20250514, claude-opus-4-20250514, etc.

Here’s a Python example using the OpenAI SDK:

from openai import OpenAI

client = OpenAI(
 base_url="http://localhost:8317/v1",
 api_key="not-needed"
)

response = client.chat.completions.create(
 model="claude-sonnet-4-20250514",
 messages=[{"role": "user", "content": "Hello!"}]
)

print(response.choices[0].message.content)

Available models

CLIProxyAPI exposes all models available through your subscription. The names use the full dated format. You can always check the list with:

curl -s http://localhost:8317/v1/models | jq '.data[].id'

At the time of writing, you’ll get Claude Opus 4, Sonnet 4, Sonnet 4.5, Haiku 4.5, and whatever else Anthropic has made available to Max subscribers.

How much does this save?

If you’re already paying for Claude Max, this is basically free API access. For context:

Usage	API Cost	With CLIProxyAPI
1M input tokens/month	~$15	$0 (included)
500K output tokens/month	~$37.50	$0 (included)
Monthly Total	~$52.50	$0 extra

And those numbers add up quick when you’re generating PR descriptions and commit messages all day. I was getting to the point where my API costs were approaching the subscription price, which is silly when you think about it.

Conclusion

The whole setup took me about 10 minutes. Download binary, authenticate, edit config, start service, point my Emacs llm provider at it. That’s it.

What I love about CLIProxyAPI is that it’s exactly the kind of tool I appreciate: a single binary, a YAML config, does one thing well, and gets out of your way. No magic, no framework, no runtime dependencies. And since it’s OpenAI-compatible, it plays nicely with the entire llm package ecosystem in Emacs.

The project is at https://github.com/router-for-me/CLIProxyAPI and the community is very active. If you run into issues, their GitHub issues are responsive.

See you in the next one!

Claude Code from the beach: My remote coding setup with mosh, tmux and ntfy

Tue, 10 Feb 2026 00:00:00 +0000

The view two blocks from my apartment

I recently read this awesome post by Granda about running Claude Code from a phone, and I thought: I need this in my life. The idea is simple: kick off a Claude Code task, pocket the phone, go do something fun, and get a notification when Claude needs your help or finishes working. Async development from anywhere.

But my setup is a bit different from his. I’m not using Tailscale or a cloud VM. I already have a WireGuard VPN connecting my devices, a home server, and a self-hosted ntfy instance. So I built my own version, tailored to my infrastructure.

Here’s the high-level architecture:

┌──────────┐ mosh ┌─────────────┐ ssh ┌─────────────┐
│ Phone │───────────────▶ │ Home Server │───────────────▶ │ Work PC │
│ (Termux) │ WireGuard │ (Jump Box) │ LAN │(Claude Code)│
└──────────┘ └─────────────┘ └──────┬──────┘
▲ │
│ ntfy (HTTPS) │
└─────────────────────────────────────────────────────────────┘

The loop is: I’m at the beach, I type cc on my phone, I land in a tmux session with Claude Code. I give it a task, pocket the phone, and go back to whatever I was doing. When Claude has a question or finishes, my phone buzzes. I pull it out, respond, pocket it again. Development fits into the gaps of the day.

And here’s what the async development loop looks like in practice:

 📱 Phone 💻 Work PC 🔔 ntfy
│ │ │
│──── type 'cc' ────────────▶│ │
│──── give Claude a task ───▶│ │
│ │ │
│ ┌─────────────────┐ │ │
│ │ pocket phone │ │ │
│ └─────────────────┘ │ │
│ │ │
│ │── hook fires ────────────▶│
│◀── "Claude needs input" ───────────────────────────────│
│ │ │
│──── respond ──────────────▶│ │
│ │ │
│ ┌─────────────────┐ │ │
│ │ pocket phone │ │ │
│ └─────────────────┘ │ │
│ │ │
│ │── hook fires ────────────▶│
│◀── "Task complete" ────────────────────────────────────│
│ │ │
│──── review, approve PR ───▶│ │
│ │ │

Why not just use the blog post’s setup?

Granda’s setup uses Tailscale for VPN, a Vultr cloud VM, Termius as the mobile terminal, and Poke for notifications. It’s clean and it works. But I had different constraints:

I already have a WireGuard VPN running wg-quick on a server that connects all my devices. No need for Tailscale.
I didn’t want to pay for a cloud VM. My work PC is more than powerful enough to run Claude Code.
I self-host ntfy for notifications, so no need for Poke or any external notification service.
I use Termux (open-source), not Termius.

If you don’t have this kind of infrastructure already, Granda’s approach is probably simpler. But if you’re the kind of person who already has a WireGuard mesh and self-hosted services, this guide is for you.

The pieces

Component	Purpose	Alternatives
WireGuard	VPN to reach home network	Tailscale, Zerotier, Nebula
mosh	Network-resilient shell (phone leg)	Eternal Terminal (et), plain SSH
SSH	Secure connection (LAN leg)	mosh (if you want it end-to-end)
tmux	Session persistence	screen, zellij
Claude Code	The actual work	—
ntfy	Push notifications	Pushover, Gotify, Poke, Telegram
Termux	Terminal emulator	Termius, JuiceSSH, ConnectBot
fish shell	Shell on all machines	zsh, bash

The key insight is that you need two different types of resilience: mosh handles the flaky mobile connection (WiFi to cellular transitions, dead zones, phone sleeping), while tmux handles session persistence (close the app, reopen hours later, everything’s still there). Together they make mobile development actually viable.

Why the double SSH? Why not make the work PC a WireGuard peer?

You might be wondering: if I already have a WireGuard network, why not just add the work PC as a peer and mosh straight into it from my phone?

The short answer: it’s my employer’s machine. It has monitoring software installed: screen grabbing, endpoint policies, the works. Installing WireGuard on it would mean running a VPN client that tunnels traffic through my personal infrastructure, which is the kind of thing that raises flags with IT security. I don’t want to deal with that conversation.

SSH, on the other hand, is standard dev tooling. An openssh-server on a Linux machine is about as unremarkable as it gets.

So instead, my home server acts as a jump box. My phone connects to the home server over WireGuard (that’s all personal infrastructure, no employer involvement), and then the home server SSHs into the work PC over the local network. The work PC only needs an SSH server, no VPN client, no weird tunnels, nothing that would make the monitoring software blink.

 ┌──────────────────────────────────────────────────┐
│ My Infrastructure │
│ │
│ ┌───────────┐ WireGuard ┌──────────────┐ │
│ │ Phone │◀──────────────▶│ WG Server │ │
│ │ (peer) │ tunnel │ │ │
│ └─────┬─────┘ └──────┬───────┘ │
│ │ │ │
│ │ mosh WireGuard │ │
│ │ (through tunnel) tunnel │ │
│ │ │ │
│ ▼ ▼ │
│ ┌──────────────┐ │
│ │ Home Server │◀───────────────────────────────│
│ │ (peer) │ │
│ └──────┬───────┘ │
│ │ │
└─────────┼────────────────────────────────────────┘
│
│ ssh (LAN)
│
┌─────────┼────────────────────────────────────────┐
│ ▼ │
│ ┌────────────┐ │
│ │ Work PC │ │
│ │ (SSH only) │ Employer Infrastructure │
│ └────────────┘ │
└──────────────────────────────────────────────────┘

As a bonus, this means the work PC has zero exposure to the public internet. It only accepts SSH from machines on my local network. Defense in depth.

Phase 1: SSH server on the work PC

My work PC is running Ubuntu 24.04. First thing: install and harden the SSH server.

sudo apt update && sudo apt install -y openssh-server
sudo systemctl enable ssh

Note: on Ubuntu 24.04 the service is called ssh, not sshd. This tripped me up.

Then harden the config. I created /etc/ssh/sshd_config with:

PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes
AllowAgentForwarding no
X11Forwarding no
UsePAM yes
MaxAuthTries 3
ClientAliveInterval 60
ClientAliveCountMax 3

Key-only auth, no root login, no password auth. Since the machine is only accessible through my local network, this is plenty secure.

Setting up SSH keys for the home server → work PC connection

On the home server, generate a key pair if you don’t already have one:

ssh-keygen -t ed25519 -C "homeserver->workpc"

Accept the default path (/.ssh/id_ed25519). Then copy the public key to the work PC:

ssh-copy-id roger@<work-pc-ip>

Now restart sshd:

sudo systemctl restart ssh

Important: Test the SSH connection from your home server before closing your current session. Don’t lock yourself out.

# From the home server
ssh roger@<work-pc-ip>

If it drops you into a shell without asking for a password, you’re golden.

Alternative: Tailscale

If you don’t have a WireGuard setup, Tailscale is the easiest way to get a private network going. Install it on your phone and your work PC, and they can see each other directly. No jump host needed, no port forwarding, no firewall rules. It’s honestly magic for this kind of thing. The only reason I don’t use it is because I already had WireGuard running before Tailscale existed.

Phase 2: tmux + auto-attach

The idea here is simple: every time I SSH into the work PC, I want to land directly in a tmux session. If the session already exists, attach to it. If not, create one.

First, ~/.tmux.conf:

# mouse support (essential for thumbing it on the phone)
set -g mouse on

# start window numbering at 1 (easier to reach on phone keyboard)
set -g base-index 1
setw -g pane-base-index 1

# status bar
set -g status-style 'bg=colour235 fg=colour136'
set -g status-left '#[fg=colour46][#S] '
set -g status-right '#[fg=colour166]%H:%M'
set -g status-left-length 30

# longer scrollback
set -g history-limit 50000

# reduce escape delay (makes editors snappier over SSH)
set -sg escape-time 10

# keep sessions alive
set -g destroy-unattached off

Mouse support is essential when you’re using your phone. Being able to tap to select panes, scroll with your finger, and resize things makes a massive difference.

Then in ~/.config/fish/config.fish on the work PC:

if set -q SSH_CONNECTION; and not set -q TMUX
 tmux attach -t claude 2>/dev/null; or tmux new -s claude -c ~/projects/my-app
end

This checks for SSH_CONNECTION so it only auto-attaches when I’m remoting in. When I’m physically at the machine, I use the terminal normally without tmux. This distinction becomes important later for notifications.

Phase 3: Claude Code hooks + ntfy

This is the fun part. Claude Code has a hook system that lets you run commands when certain events happen. We’re going to hook into three events:

AskUserQuestion: Claude needs my input. High priority notification.
Stop: Claude finished the task. Normal priority.
Error: Something broke. High priority.

The notification script

First, the script that sends notifications. I created ~/.claude/hooks/notify.sh:

#!/usr/bin/env bash

# Only notify if we're in an SSH-originated tmux session
if ! tmux show-environment SSH_CONNECTION 2>/dev/null | grep -q SSH_CONNECTION=; then
 exit 0
fi

EVENT_TYPE="${1:-unknown}"
NTFY_URL="https://ntfy.example.com/claude-code"
NTFY_TOKEN="tk_your_token_here"

EVENT_DATA=$(cat)

case "$EVENT_TYPE" in
 question)
 TITLE="🤔 Claude needs input"
 PRIORITY="high"
 MESSAGE=$(echo "$EVENT_DATA" | jq -r '.tool_input.question // .tool_input.questions[0].question // "Claude has a question for you"' 2>/dev/null)
 ;;
 stop)
 TITLE="✅ Claude finished"
 PRIORITY="default"
 MESSAGE="Task complete"
 ;;
 error)
 TITLE="❌ Claude hit an error"
 PRIORITY="high"
 MESSAGE=$(echo "$EVENT_DATA" | jq -r '.error // "Something went wrong"' 2>/dev/null)
 ;;
 *)
 TITLE="Claude Code"
 PRIORITY="default"
 MESSAGE="Event: $EVENT_TYPE"
 ;;
esac

PROJECT=$(basename "$PWD")

curl -s \
 -H "Authorization: Bearer $NTFY_TOKEN" \
 -H "Title: $TITLE" \
 -H "Priority: $PRIORITY" \
 -H "Tags: computer" \
 -d "[$PROJECT] $MESSAGE" \
 "$NTFY_URL" > /dev/null 2>&1

chmod +x ~/.claude/hooks/notify.sh

The SSH_CONNECTION check at the top is crucial: it prevents notifications from firing when I’m sitting at the machine. Since I only use tmux when SSHing in remotely, the tmux environment will only have SSH_CONNECTION set when I’m remote. Neat trick.

Claude Code settings

Then in ~/.claude/settings.json:

{
 "hooks": {
 "PreToolUse": [
 {
 "matcher": "AskUserQuestion",
 "hooks": [
 {
 "type": "command",
 "command": "~/.claude/hooks/notify.sh question"
 }
 ]
 }
 ],
 "Stop": [
 {
 "hooks": [
 {
 "type": "command",
 "command": "~/.claude/hooks/notify.sh stop"
 }
 ]
 }
 ]
 }
}

This is the global settings file. If your project also has a .claude/settings.json, they’ll be merged. No conflicts.

ntfy setup

I’m self-hosting ntfy, so I created a topic and an access token:

# Inside your ntfy server/container
ntfy token add --expires=30d your-username
ntfy access your-username claude-code rw
ntfy access everyone claude-code deny

ntfy topics are created on demand, so just subscribing to one creates it. On the Android ntfy app, I pointed it at my self-hosted instance and subscribed to the claude-code topic.

You can test the whole thing works with:

echo '{"tool_input":{"question":"Should I refactor this?"}}' | ~/.claude/hooks/notify.sh question
echo '{}' | ~/.claude/hooks/notify.sh stop
echo '{"error":"ModuleNotFoundError: No module named foo"}' | ~/.claude/hooks/notify.sh error

Three notifications, three different priorities. Very satisfying.

Alternative notification systems

If you don’t want to self-host ntfy, here are some options:

ntfy.sh: The public instance of ntfy. Free, no setup, just pick a random-ish topic name. The downside is that anyone who knows your topic name can send you notifications.
Pushover: $5 one-time purchase per platform. Very reliable, nice API. The notification script would be almost identical, just a different curl call.
Gotify: Self-hosted like ntfy, but uses WebSockets instead of HTTP. Good if you’re already running it.
Telegram Bot API: Free, easy to set up. Create a bot with BotFather, get your chat ID, and curl the sendMessage endpoint.
Poke: What Granda uses in his post. Simple webhook-to-push service.

Phase 4: Termux setup

Termux is the terminal emulator on my Android phone. Here’s how I set it up.

pkg update && pkg install -y mosh openssh fish

SSH into your phone (for easier setup)

Configuring all of this on a phone keyboard is painful. I set up sshd on Termux so I could configure it from my PC.

In ~/.config/fish/config.fish:

sshd 2>/dev/null

This starts sshd every time you open Termux. If it’s already running, it silently fails. Termux runs sshd on port 8022 by default.

First, set a password on Termux (you’ll need it for the initial key copy):

passwd

Then from your PC, copy your key and test the connection:

ssh-copy-id -p 8022 <phone-ip>
ssh -p 8022 <phone-ip>

Now you can configure Termux comfortably from your PC keyboard.

Generating SSH keys on the phone

On Termux, generate a key pair:

ssh-keygen -t ed25519 -C "phone"

Then copy it to your home server:

ssh-copy-id <your-user>@<home-server-wireguard-ip>

This gives you passwordless phone → home server. Since we already set up home server → work PC keys in Phase 1, the full chain is now passwordless.

SSH config

The SSH config is where the magic happens. On Termux:

Host home
HostName <home-server-wireguard-ip>
User <your-user>
Host work
HostName <work-pc-ip>
User roger
ProxyJump home

ProxyJump is the key: ssh work automatically hops through the home server. No manual double-SSHing.

Fish aliases

These are the aliases that make everything a one-command operation:

# Connect to work PC, land in tmux with Claude Code ready
alias cc="mosh home -- ssh -t work"

# New tmux window in the claude session
alias cn="mosh home -- ssh -t work 'tmux new-window -t claude -c \$HOME/projects/my-app'"

# List tmux windows
alias cl="ssh work 'tmux list-windows -t claude'"

cc is all I need to type. Mosh handles the phone-to-home-server connection (surviving WiFi/cellular transitions), SSH handles the home-server-to-work-PC hop over the LAN, and the fish config on the work PC auto-attaches to tmux.

Alternative: Termius

If you’re on iOS (or just prefer a polished app), Termius is what Granda uses. It supports mosh natively and has a nice UI. The downside is it’s a subscription for the full features. Termux is free and open-source, and gives you a full Linux environment.

Other options: JuiceSSH (Android, no mosh), ConnectBot (Android, no mosh). Mosh support is really the killer feature here, so Termux or Termius are the best choices.

Phase 5: The full flow

Here’s what my actual workflow looks like:

I’m at the beach/coffee shop/couch/wherever 🏖️
Open Termux, type cc
I’m in my tmux session on my work PC
Start Claude Code, give it a task: “add pagination to the user dashboard API and update the tests”
Pocket the phone
Phone buzzes: “🤔 Claude needs input — Should I use cursor-based or offset-based pagination?”
Pull out phone, Termux is still connected (thanks mosh), type “cursor-based, use the created_at field”
Pocket the phone again
Phone buzzes: “✅ Claude finished — Task complete”
Review the changes, approve the PR, go back to the beach

The key thing that makes this work is the combination of mosh (connection survives me pocketing the phone) + tmux (session survives even if mosh dies) + ntfy (I don’t have to keep checking the screen). Without any one of these three, the experience breaks down.

Security considerations

A few things to keep in mind:

SSH keys only: No password auth anywhere in the chain. Keys are easier to manage and impossible to brute force.
WireGuard: The work PC is only accessible through my local network. No ports exposed to the public internet.
ntfy token auth: The notification topic requires authentication. No one else can send you fake notifications or read your Claude Code questions.
Claude Code in normal mode: Unlike Granda’s setup where he runs permissive mode on a disposable VM, my work PC is not disposable. Claude asks before running dangerous commands, which pairs nicely with the notification system.
tmux SSH check: Notifications only fire when I’m remote. When I’m at the machine, no unnecessary pings.

Conclusion

The whole setup took me about an hour to put together. The actual configuration is pretty minimal: an SSH server, a tmux config, a notification script, and some fish aliases.

What I love about this setup is that it’s all stuff I already had. WireGuard was already running, ntfy was already self-hosted, Termux was already on my phone. I just wired them together with a few scripts and some Claude Code hooks.

If you have a similar homelab setup, you can probably get this running in 30 minutes. If you’re starting from scratch, Granda’s cloud VM approach is probably easier. Either way, async coding from your phone is genuinely a game changer.

See you in the next one!

Introducing: YAMS (Yet Another Media Server)!

Fri, 20 Jan 2023 09:57:48 -0300

Hello internet 😎

I’m here with a big announcement: I have created a bash script that installs my entire media server, fast and easy 🎉

TL;DR

I’ve created YAMS. A full media server that allows you to download and categorize your shows/movies.

Go to YAMS’s website here: http://yams.media or check it on Gitlab here: https://gitlab.com/rogs/yams.

A little history

When I first set up my media server, it took me ~2 weeks to install, configure and understand how it’s supposed to work: Linking Sonarr, Radarr, Jackett together, choosing a good BitTorrent downloader, understanding all the moving pieces, choosing Emby, etc. My plan with YAMS is to make it easier for noobs (and lazy people like me) to set up their media servers super easily.

I have been working on YAMS for ~2 weeks. The docker-compose file has existed for almost 2 years but without any configuration instructions. Basically, you had to do everything manually, and if you didn’t have any experience with docker, docker-compose, or any of the services included, it was very cumbersome to configure and understand how everything worked together.

So basically, I’m encapsulating my experience for anyone that wants to use it. If you don’t like it, at least you might learn something from my experience, YAMS’s docker-compose file or its configuration tutorial.

This is my first (and hopefully not last!) piece of open source software. I know it’s just a bash script that sets up a docker-compose file, but seeing how my friends are using it and giving me feedback is exciting and addictive!

Why?

In 2019 I wanted a setup that my non-technical girlfriend could use without any problems, so I started designing my media server using multiple open source projects and running them on top of docker.

Today I would like to say it works very well 😎 And most importantly, I accomplished my goal: My girlfriend uses it regularly and I even was able to expand it to my mother, who lives 5000kms from me.

But then, my friends saw my setup…

On June 2022 I had a small “party” with my work friends at my apartment, and all of them were very impressed with my home server setup:

“Sonarr” to index shows.
“Radarr” to index movies.
“qBittorrent” to download torrents.
“Emby” to serve the server.

They kept telling me to create a tutorial, or just teach them how to set one up themselves.

I tried to explain the full setup to one of them, but explaining how everything connected and worked together was a big pain. That is what led me to create this script and configuration tutorial, so anyone regardless of their tech background and knowledge could start a basic media server.

So basically, my friends pushed me to build this script and documentation, so they (and now anyone!) could build it on their own home servers.

Ok, sounds cool. What did you do then?

A bash script that asks basic questions to the user and sets up the ultimate media server, with configuration instructions included! (That’s the part I really REALLY enjoyed!)

What’s included with YAMS?

This script installs the following software:

This combination allows you to create a fully functional media server that is going to download, categorize, subtitle, and serve your favorite shows and movies.

Features

In no particular order:

Automatic shows/movies download: Just add your shows and movies to the watch list and it should automatically download the files when they are available.
Automatic classification and organization: Your media files should be completely organized by default.
Automatic subtitles download: Self-explanatory. Your media server should automatically download subtitles in the languages you choose if they are available.
Support for Web, Android, iOS, Android TV, and whatever that can support Emby: Since we are using Emby, you should be able to watch your favorite media almost anywhere.

Conclusion

You can go to YAMS’s website here: https://yams.media.

I’m very proud of how YAMS is turning out! If you end up using it on your server, I just want to tell you THANK YOU 🙇 from the bottom of my heart. You are AWESOME!

Feedback is GREATLY appreciated (the VPN was added from the feedback!). I’m here to support YAMS for the long run, so I would like suggestions on how to improve the setup/website/configuration steps.

You can always submit issues on Gitlab if you find any problems, or you can contact me directly (email preferred!).

Removing comments from my blog

Sat, 14 Jan 2023 00:00:00 +0000

I’m removing comments from my blog.

I’ve been thinking about this for a while, but I noticed that comments weren’t being used and most posts were not that interesting. Don’t get me wrong, I really appreciate your awesome comments, but running commento takes a lot of resources and I don’t really see the full benefit of them.

From now on, if you want to leave a comment (“thank yous”, suggestions, etc), you can send me an email. You’ll find my email addess on the Contact page.

You have a good and relevant comment, I’ll update the relevant post accordingly.

Using MinIO to upload to a local S3 bucket in Django

Sun, 10 Jan 2021 00:00:00 +0000

So MinIO its an object storage that uses the same API as S3, which means that we can use the same S3 compatible libraries in Python, like Boto3 and django-storages.

The setup

Here’s the docker-compose configuration for my django app:

version: "3"

services:
 app:
 build:
 context: .
 volumes:
 - ./app:/app
 ports:
 - 8000:8000
 depends_on:
 - minio
 command: >
 sh -c "python manage.py migrate &&
 python manage.py runserver 0.0.0.0:8000"

 minio:
 image: minio/minio
 ports:
 - 9000:9000
 environment:
 - MINIO_ACCESS_KEY=access-key
 - MINIO_SECRET_KEY=secret-key
 command: server /export

 createbuckets:
 image: minio/mc
 depends_on:
 - minio
 entrypoint: >
 /bin/sh -c "
 apk add nc &&
 while ! nc -z minio 9000; do echo 'Wait minio to startup...' && sleep 0.1; done; sleep 5 &&
 /usr/bin/mc config host add myminio http://minio:9000 access-key secret-key;
 /usr/bin/mc mb myminio/my-local-bucket;
 /usr/bin/mc policy download myminio/my-local-bucket;
 exit 0;
 "

app is my Django app. Nothing new here.
minio is the MinIO instance.
createbuckets is a quick instance that creates a new bucket on startup, that way we don’t need to create the bucket manually.

On my app, in settings.py:

# S3 configuration

DEFAULT_FILE_STORAGE = "storages.backends.s3boto3.S3Boto3Storage"

AWS_ACCESS_KEY_ID = os.environ.get("AWS_ACCESS_KEY_ID", "access-key")
AWS_SECRET_ACCESS_KEY = os.environ.get("AWS_SECRET_ACCESS_KEY", "secret-key")
AWS_STORAGE_BUCKET_NAME = os.environ.get("AWS_STORAGE_BUCKET_NAME", "my-local-bucket")

if DEBUG:
 AWS_S3_ENDPOINT_URL = "http://minio:9000"

If we were in a production environment, the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_STORAGE_BUCKET_NAME would be read from the environmental variables, but since we haven’t set those up and we have DEBUG=True, we are going to use the default ones, which point directly to MinIO.

And that’s it! That’s everything you need to have your local S3 development environment.

Testing

First, let’s create our model. This is a simple mock model for testing purposes:

from django.db import models


class Person(models.Model):
 """This is a demo person model"""

 first_name = models.CharField(max_length=50)
 last_name = models.CharField(max_length=50)
 date_of_birth = models.DateField()
 picture = models.ImageField()

 def __str__(self):
 return f"{self.first_name} {self.last_name} {str(self.date_of_birth)}"

Then, in the Django admin we can interact with our new model:

If we go to the URL and change the domain to localhost, we should be able to see the picture we uploaded.

Bonus: The MinIO browser

MinIO has a local objects browser. If you want to check it out you just need to go to http://localhost:9000. With my docker-compose configuration, the credentials are:

username: access-key
password: secret-key

On the browser, you can see your uploads, delete them, add new ones, etc.

Conclusion

Now you can have a simple configuration for your local and production environments to work seamlessly, using local resources instead of remote resources that might generate costs for the development.

If you want to check out the project code, you can check in my Gitlab here: https://gitlab.com/rogs/minio-example

See you in the next one!

How to create a celery task that fills out fields using Django

Sun, 29 Nov 2020 15:48:48 -0300

Hi everyone!

It’s been way too long, I know. In this oportunity, I wanted to talk about asynchronicity in Django, but first, lets set up the stage:

Imagine you are working in a library and you have to develop an app that allows users to register new books using a barcode scanner. The system has to read the ISBN code and use an external resource to fill in the information (title, pages, authors, etc.). You don’t need the complete book information to continue, so the external resource can’t hold the request.

How can you process the external request asynchronously? 🤔

For that, we need Celery.

What is Celery?

Celery is a “distributed task queue”. Fron their website:

> Celery is a simple, flexible, and reliable distributed system to process vast amounts of messages, while providing operations with the tools required to maintain such a system.

So Celery can get messages from external processes via a broker (like Redis), and process them.

The best thing is: Django can connect to Celery very easily, and Celery can access Django models without any problem. Sweet!

Lets code!

Let’s assume our project structure is the following:

- app/
- manage.py
- app/
- __init__.py
- settings.py
- urls.py

Celery

First, we need to set up Celery in Django. Thankfully, Celery has an excellent documentation, but the entire process can be summarized to this:

In app/app/celery.py:

import os

from celery import Celery

# set the default Django settings module for the 'celery' program.
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "app.settings")

app = Celery("app")

# Using a string here means the worker doesn't have to serialize
# the configuration object to child processes.
# - namespace='CELERY' means all celery-related configuration keys
# should have a `CELERY_` prefix.
app.config_from_object("django.conf:settings", namespace="CELERY")

# Load task modules from all registered Django app configs.
app.autodiscover_tasks()


@app.task(bind=True)
def debug_task(self):
 """A debug celery task"""
 print(f"Request: {self.request!r}")

What’s going on here?

First, we set the DJANGO_SETTINGS_MODULE environment variable
Then, we instantiate our Celery app using the app variable.
Then, we tell Celery to look for celery configurations in the Django settings with the CELERY prefix. We will see this later in the post.
Finally, we start Celery’s autodiscover_tasks. Celery is now going to look for tasks.py files in the Django apps.

In /app/app/__init__.py:

# This will make sure the app is always imported when
# Django starts so that shared_task will use this app.
from .celery import app as celery_app

__all__ = ("celery_app",)

Finally in /app/app/settings.py:

...
# Celery
CELERY_BROKER_URL = env.str("CELERY_BROKER_URL")
CELERY_TIMEZONE = env.str("CELERY_TIMEZONE", "America/Montevideo")
CELERY_RESULT_BACKEND = "django-db"
CELERY_CACHE_BACKEND = "django-cache"
...

Here, we can see that the CELERY prefix is used for all Celery configurations, because on celery.py we told Celery the prefix was CELERY

With this, Celery is fully configured. 🎉

Django

First, let’s create a core app. This is going to be used for everything common in the app

$ python manage.py startapp core

On core/models.py, lets set the following models:

"""
Models
"""
import uuid

from django.db import models


class TimeStampMixin(models.Model):
 """
 A base model that all the other models inherit from.
 This is to add created_at and updated_at to every model.
 """

 id = models.UUIDField(primary_key=True, default=uuid.uuid4)
 created_at = models.DateTimeField(auto_now_add=True)
 updated_at = models.DateTimeField(auto_now=True)

 class Meta:
 """Setting up the abstract model class"""

 abstract = True


class BaseAttributesModel(TimeStampMixin):
 """
 A base model that sets up all the attibutes models
 """

 name = models.CharField(max_length=255)
 outside_url = models.URLField()

 def __str__(self):
 return self.name

 class Meta:
 abstract = True

Then, let’s create a new app for our books:

python manage.py startapp books

And on books/models.py, let’s create the following models:

"""
Books models
"""
from django.db import models

from core.models import TimeStampMixin, BaseAttributesModel


class Author(BaseAttributesModel):
 """Defines the Author model"""


class People(BaseAttributesModel):
 """Defines the People model"""


class Subject(BaseAttributesModel):
 """Defines the Subject model"""


class Book(TimeStampMixin):
 """Defines the Book model"""

 isbn = models.CharField(max_length=13, unique=True)
 title = models.CharField(max_length=255, blank=True, null=True)
 pages = models.IntegerField(default=0)
 publish_date = models.CharField(max_length=255, blank=True, null=True)
 outside_id = models.CharField(max_length=255, blank=True, null=True)
 outside_url = models.URLField(blank=True, null=True)
 author = models.ManyToManyField(Author, related_name="books")
 person = models.ManyToManyField(People, related_name="books")
 subject = models.ManyToManyField(Subject, related_name="books")

 def __str__(self):
 return f"{self.title} - {self.isbn}"

Author, People, and Subject are all BaseAttributesModel, so their fields come from the class we defined on core/models.py.

For Book we add all the fields we need, plus a many_to_many with Author, People and Subjects. Because:

Books can have many authors, and many authors can have many books

Example: 27 Books by Multiple Authors That Prove the More, the Merrier

Books can have many persons, and many persons can have many books

Example: Ron Weasley is in several Harry Potter books

Books can have many subjects, and many subjects can have many books

Example: A book can be a comedy, fiction, and mystery at the same time

Let’s create books/serializers.py:

"""
Serializers for the Books
"""
from django.db.utils import IntegrityError
from rest_framework import serializers

from books.models import Book, Author, People, Subject
from books.tasks import get_books_information


class AuthorInBookSerializer(serializers.ModelSerializer):
 """Serializer for the Author objects inside Book"""

 class Meta:
 model = Author
 fields = ("id", "name")


class PeopleInBookSerializer(serializers.ModelSerializer):
 """Serializer for the People objects inside Book"""

 class Meta:
 model = People
 fields = ("id", "name")


class SubjectInBookSerializer(serializers.ModelSerializer):
 """Serializer for the Subject objects inside Book"""

 class Meta:
 model = Subject
 fields = ("id", "name")


class BookSerializer(serializers.ModelSerializer):
 """Serializer for the Book objects"""

 author = AuthorInBookSerializer(many=True, read_only=True)
 person = PeopleInBookSerializer(many=True, read_only=True)
 subject = SubjectInBookSerializer(many=True, read_only=True)

 class Meta:
 model = Book
 fields = "__all__"


class BulkBookSerializer(serializers.Serializer):
 """Serializer for bulk book creating"""

 isbn = serializers.ListField()

 def create(self, validated_data):
 return_dict = {"isbn": []}
 for isbn in validated_data["isbn"]:
 try:
 Book.objects.create(isbn=isbn)
 return_dict["isbn"].append(isbn)
 except IntegrityError as error:
 pass

 return return_dict

 def update(self, instance, validated_data):
 """The update method needs to be overwritten on
 serializers.Serializer. Since we don't need it, let's just
 pass it"""
 pass


class BaseAttributesSerializer(serializers.ModelSerializer):
 """A base serializer for the attributes objects"""

 books = BookSerializer(many=True, read_only=True)


class AuthorSerializer(BaseAttributesSerializer):
 """Serializer for the Author objects"""

 class Meta:
 model = Author
 fields = ("id", "name", "outside_url", "books")


class PeopleSerializer(BaseAttributesSerializer):
 """Serializer for the Author objects"""

 class Meta:
 model = People
 fields = ("id", "name", "outside_url", "books")


class SubjectSerializer(BaseAttributesSerializer):
 """Serializer for the Author objects"""

 class Meta:
 model = Subject
 fields = ("id", "name", "outside_url", "books")

The most important serializer here is BulkBookSerializer. It’s going to get an ISBN list and then bulk create them in the DB.

On books/views.py, we can set the following views:

"""
Views for the Books
"""
from rest_framework import viewsets, mixins, generics
from rest_framework.permissions import AllowAny

from books.models import Book, Author, People, Subject
from books.serializers import (
 BookSerializer,
 BulkBookSerializer,
 AuthorSerializer,
 PeopleSerializer,
 SubjectSerializer,
)


class BookViewSet(
 viewsets.GenericViewSet,
 mixins.ListModelMixin,
 mixins.RetrieveModelMixin,
):
 """
 A view to list Books and retrieve books by ID
 """

 permission_classes = (AllowAny,)
 queryset = Book.objects.all()
 serializer_class = BookSerializer


class AuthorViewSet(
 viewsets.GenericViewSet,
 mixins.ListModelMixin,
 mixins.RetrieveModelMixin,
):
 """
 A view to list Authors and retrieve authors by ID
 """

 permission_classes = (AllowAny,)
 queryset = Author.objects.all()
 serializer_class = AuthorSerializer


class PeopleViewSet(
 viewsets.GenericViewSet,
 mixins.ListModelMixin,
 mixins.RetrieveModelMixin,
):
 """
 A view to list People and retrieve people by ID
 """

 permission_classes = (AllowAny,)
 queryset = People.objects.all()
 serializer_class = PeopleSerializer


class SubjectViewSet(
 viewsets.GenericViewSet,
 mixins.ListModelMixin,
 mixins.RetrieveModelMixin,
):
 """
 A view to list Subject and retrieve subject by ID
 """

 permission_classes = (AllowAny,)
 queryset = Subject.objects.all()
 serializer_class = SubjectSerializer


class BulkCreateBook(generics.CreateAPIView):
 """A view to bulk create books"""

 permission_classes = (AllowAny,)
 queryset = Book.objects.all()
 serializer_class = BulkBookSerializer

Easy enough, endpoints for getting books, authors, people and subjects and an endpoint to post ISBN codes in a list.

We can check swagger to see all the endpoints created:

Now, how are we going to get all the data? 🤔

Creating a Celery task

Now that we have our project structure done, we need to create the asynchronous task Celery is going to run to populate our fields.

To get the information, we are going to use the OpenLibrary API.

First, we need to create books/tasks.py:

"""
Celery tasks
"""
import requests
from celery import shared_task

from books.models import Book, Author, People, Subject


def get_book_info(isbn):
 """Gets a book information by using its ISBN.
 More info here https://openlibrary.org/dev/docs/api/books"""
 return requests.get(
 f"https://openlibrary.org/api/books?jscmd=data&format=json&bibkeys=ISBN:{isbn}"
 ).json()


def generate_many_to_many(model, iterable):
 """Generates the many to many relationships to books"""
 return_items = []
 for item in iterable:
 relation = model.objects.get_or_create(
 name=item["name"], outside_url=item["url"]
 )
 return_items.append(relation)
 return return_items


@shared_task
def get_books_information(isbn):
 """Gets a book information"""

 # First, we get the book information by its isbn
 book_info = get_book_info(isbn)

 if len(book_info) > 0:
 # Then, we need to access the json itself. Since the first key is dynamic,
 # we get it by accessing the json keys
 key = list(book_info.keys())[0]
 book_info = book_info[key]

 # Since the book was created on the Serializer, we get the book to edit
 book = Book.objects.get(isbn=isbn)

 # Set the fields we want from the API into the Book
 book.title = book_info["title"]
 book.publish_date = book_info["publish_date"]
 book.outside_id = book_info["key"]
 book.outside_url = book_info["url"]

 # For the optional fields, we try to get them first
 try:
 book.pages = book_info["number_of_pages"]
 except:
 book.pages = 0

 try:
 authors = book_info["authors"]
 except:
 authors = []

 try:
 people = book_info["subject_people"]
 except:
 people = []

 try:
 subjects = book_info["subjects"]
 except:
 subjects = []

 # And generate the appropiate many_to_many relationships
 authors_info = generate_many_to_many(Author, authors)
 people_info = generate_many_to_many(People, people)
 subjects_info = generate_many_to_many(Subject, subjects)

 # Once the relationships are generated, we save them in the book instance
 for author in authors_info:
 book.author.add(author[0])

 for person in people_info:
 book.person.add(person[0])

 for subject in subjects_info:
 book.subject.add(subject[0])

 # Finally, we save the Book
 book.save()

 else:
 raise ValueError("Book not found")

So when are we going to run this task? We need to run it in the serializer.

On books/serializers.py:

from books.tasks import get_books_information
...
class BulkBookSerializer(serializers.Serializer):
 """Serializer for bulk book creating"""

 isbn = serializers.ListField()

 def create(self, validated_data):
 return_dict = {"isbn": []}
 for isbn in validated_data["isbn"]:
 try:
 Book.objects.create(isbn=isbn)
 # We need to add this line
 get_books_information.delay(isbn)
 #################################
 return_dict["isbn"].append(isbn)
 except IntegrityError as error:
 pass

 return return_dict

 def update(self, instance, validated_data):
 pass

To trigger the Celery tasks, we need to call our function with the delay function, which has been added by the shared_task decorator. This tells Celery to start running the task in the background since we don’t need the result right now.

Docker configuration

There are a lot of moving parts we need for this to work, so I created a docker-compose configuration to help with the stack. I’m using the package django-environ to handle all environment variables.

On docker-compose.yml:

version: "3.7"

x-common-variables: &common-variables
 DJANGO_SETTINGS_MODULE: "app.settings"
 CELERY_BROKER_URL: "redis://redis:6379"
 DEFAULT_DATABASE: "psql://postgres:postgres@db:5432/app"
 DEBUG: "True"
 ALLOWED_HOSTS: "*,test"
 SECRET_KEY: "this-is-a-secret-key-shhhhh"

services:
 app:
 build:
 context: .
 volumes:
 - ./app:/app
 environment:
 <<: *common-variables
 ports:
 - 8000:8000
 command: >
 sh -c "python manage.py migrate &&
 python manage.py runserver 0.0.0.0:8000"
 depends_on:
 - db
 - redis

 celery-worker:
 build:
 context: .
 volumes:
 - ./app:/app
 environment:
 <<: *common-variables
 command: celery --app app worker -l info
 depends_on:
 - db
 - redis

 db:
 image: postgres:12.4-alpine
 environment:
 - POSTGRES_DB=app
 - POSRGRES_USER=postgres
 - POSTGRES_PASSWORD=postgres

 redis:
 image: redis:6.0.8-alpine

This is going to set our app, DB, Redis, and most importantly our celery-worker instance. To run Celery, we need to execute:

$ celery --app app worker -l info

So we are going to run that command on a separate docker instance

Testing it out

If we run

$ docker-compose up

on our project root folder, the project should come up as usual. You should be able to open http://localhost:8000/admin and enter the admin panel.

To test the app, you can use a curl command from the terminal:

curl -X POST "http://localhost:8000/books/bulk-create" -H "accept: application/json" \
 -H "Content-Type: application/json" -d "{ \"isbn\": [ \"9780345418913\", \
 \"9780451524935\", \"9780451526342\", \"9781101990322\", \"9780143133438\" ]}"

This call lasted 147ms, according to my terminal.

This should return instantly, creating 15 new books and 15 new Celery tasks, one for each book. You can also see tasks results in the Django admin using the django-celery-results package, check its documentation.

Celery tasks list, using django-celery-results

Created and processed books list

Single book information

People in books

Authors

Themes

And also, you can interact with the endpoints to search by author, theme, people, and book. This should change depending on how you created your URLs.

That’s it!

This surely was a LONG one, but it has been a very good one in my opinion. I’ve used Celery in the past for multiple things, from sending emails in the background to triggering scraping jobs and running scheduled tasks (like a unix cronjob)

You can check the complete project in my GitLab here: https://gitlab.com/rogs/books-app

If you have any doubts, let me know! I always answer emails and/or messages.

How I got a residency appointment thanks to Python, Selenium and Telegram

Sun, 02 Aug 2020 00:00:00 +0000

Hello everyone

As some of you might know, I’m a Venezuelan 🇻🇪 living in Montevideo, Uruguay 🇺🇾. I’ve been living here for almost a year, but because of the pandemic my residency appointments have slowed down to a crawl, and in the middle of the quarantine they added a new appointment system. Before, there were no appointments, you just had to get there early and wait for the secretary to review your files and assign someone to attend you. But now, they had implemented an appointment system that you could do from the comfort of your own home/office. There was just one issue: there were never appointments available.

That was a little stressful. I was developing a small tick by checking the site multiple times a day, with no luck. But then, I decided I wanted to do a bot that checks the site for me, that way I could just forget about it and let the computers do it for me.

Tech

Selenium

I had some experience with Selenium in the past because I had to run automated tests on an Android application, but I had never used it for the web. I knew it supported Firefox and had an extensive API to interact with websites. In the end, I just had to inspect the HTML and search for the “No appointments available” error message. If the message wasn’t there, I needed a way to be notified so I can set my appointment as fast as possible.

Telegram Bot API

Telegram was my goto because I have a lot of experience with it. It has a stupidly easy API that allows for superb bot management. I just needed the bot to send me a message whenever the “No appointments available” message wasn’t found on the site.

The plan

Here comes the juicy part: How is everything going to work together?

I divided the work into four parts:

Inspecting the site
Finding the error message on the site
Sending the message if nothing was found
Deploy the job with a cronjob on my VPS

Inspecting the site

Here is the site I needed to inspect:

On the first site, I need to click the bottom button. By inspecting the HTML, I found out that its name is form:botonElegirHora
When the button is clicked, it loads a second page that has an error message if no appointments are found. The ID of that message is form:warnSinCupos.

Using Selenium to find the error message

First, I needed to define the browser session and its settings. I wanted to run it in headless mode so no X session is needed:

from selenium import webdriver
from selenium.webdriver.firefox.options import Options

options = Options()
options.headless = True
d = webdriver.Firefox(options=options)

Then, I opened the site, looked for the button (form:botonElegirHora) and clicked it

# This is the website I wanted to scrape
d.get('https://sae.mec.gub.uy/sae/agendarReserva/Paso1.xhtml?e=9&a=7&r=13')
elem = d.find_element_by_name('form:botonElegirHora')
elem.click()

And on the new page, I looked for the error message (form:warnSinCupos)

try:
 warning_message = d.find_element_by_id('form:warnSinCupos')
except Exception:
 pass

This was working exactly how I wanted: It opened a new browser session, opened the site, clicked the button, and then looked for the message. For now, if the message wasn’t found, it does nothing. Now, the script needs to send me a message if the warning message wasn’t found on the page.

Using Telegram to send a message if the warning message wasn’t found

The Telegram bot API has a very simple way to send messages. If you want to read more about their API, you can check it here.

There are a few steps you need to follow to get a Telegram bot:

First, you need to “talk” to the Botfather to create the bot.
Then, you need to find your Telegram Chat ID. There are a few bots that can help you with that, I personally use @get_id_bot.
Once you have the ID, you should read the sendMessage API, since that’s the only one we need now. You can check it here.

So, by using the Telegram documentation, I came up with the following code:

import requests

chat_id = # Insert your chat ID here
telegram_bot_id = # Insert your Telegram bot ID here
telegram_data = {
 "chat_id": chat_id
 "parse_mode": "HTML",
 "text": ("<b>Hay citas!</b>\nHay citas en el registro civil, para "
 f"entrar ve a {SAE_URL}")
}
requests.post('https://api.telegram.org/bot{telegram_bot_id}/sendmessage', data=telegram_data)

The complete script

I added a few loggers and environment variables and voilá! Here is the complete code:

#!/usr/bin/env python3

import os
import requests
from datetime import datetime

from selenium import webdriver
from selenium.webdriver.firefox.options import Options

from dotenv import load_dotenv

load_dotenv() # This loads the environmental variables from the .env file in the root folder

TELEGRAM_BOT_ID = os.environ.get('TELEGRAM_BOT_ID')
TELEGRAM_CHAT_ID = os.environ.get('TELEGRAM_CHAT_ID')
SAE_URL = 'https://sae.mec.gub.uy/sae/agendarReserva/Paso1.xhtml?e=9&a=7&r=13'

options = Options()
options.headless = True
d = webdriver.Firefox(options=options)
d.get(SAE_URL)
print(f'Headless Firefox Initialized {datetime.now()}')
elem = d.find_element_by_name('form:botonElegirHora')
elem.click()
try:
 warning_message = d.find_element_by_id('form:warnSinCupos')
 print('No dates yet')
 print('------------------------------')
except Exception:
 telegram_data = {
 "chat_id": TELEGRAM_CHAT_ID,
 "parse_mode": "HTML",
 "text": ("<b>Hay citas!</b>\nHay citas en el registro civil, para "
 f"entrar ve a {SAE_URL}")
 }
 requests.post('https://api.telegram.org/bot'
 f'{TELEGRAM_BOT_ID}/sendmessage', data=telegram_data)
 print('Dates found!')
d.close() # To close the browser connection

Only one more thing to do, to deploy everything to my VPS

Deploy and testing on the VPS

This was very easy. I just needed to pull my git repo, install the requirements.txt and set a new cron to run every 10 minutes and check the site. The cron settings I used where:

*/10 * * * * /usr/bin/python3 /my/script/location/registro-civil-scraper/app.py >> /my/script/location/registro-civil-scraper/log.txt

The >> /my/script/location/registro-civil-scraper/log.txt part is to keep the logs on a new file.

Did it work?

Yes! And it worked perfectly. I got a message the following day at 21:00 (weirdly enough, that’s 0:00GMT, so maybe they have their servers at GMT time and it opens new appointments at 0:00).

Conclusion

I always loved to use programming to solve simple problems. With this script, I didn’t need to check the site every couple of hours to get an appointment, and sincerely, I wasn’t going to check past 19:00, so I would’ve never found it by my own.

My brother is having similar issues in Argentina, and when I showed him this, he said one of the funniest phrases I’ve heard about my profession:

> “Programmers could take over the world, but they are too lazy”

I lol’d way too hard at that.

I loved Selenium and how it worked. Recently I created a crawler using Selenium, Redis, peewee, and Postgres, so stay tuned if you want to know more about that.

In the meantime, if you want to check the complete script, you can see it on my Gitlab: https://gitlab.com/rogs/registro-civil-scraper

How to search Google without using Google, the self-hosted way

Mon, 22 Jun 2020 10:07:12 -0300

Hello everyone!

Last week I was talking with a friend and he was complaining about how Google knows everything about us, so I took the chance to recommend some degoogled alternatives: I sent him my blog, recommended DuckDuckGo, Nextcloud, Protonmail, etc. He really liked my suggestions and promised to try DuckDuckGo. A couple of days later he came to me a little defeated, because he didn’t like the search results on DuckDuckGo and felt bad going back to Google.

So that got me thinking: Are there some degoogled search engines that use Google as the backend but respect our privacy?

So I went looking and found a couple of really interesting options.

Startpage.com

According to their Wikipedia:

Startpage is a web search engine that highlights privacy as its distinguishing feature. Previously, it was known as the metasearch engine Ixquick

…

On 7 July 2009, Ixquick launched Startpage.com to offer its service at a URL that is both easier to remember and spell. In contrast to Ixquick.eu, Startpage.com fetches results from the Google search engine. This is done without saving user IP addresses or giving any personal user information to Google’s servers.

and their own website:

You can’t beat Google when it comes to online search. So we’re paying them to use their brilliant search results in order to remove all trackers and logs. The result: The world’s best and most private search engine. Only now you can search without ads following you around, recommending products you’ve already bought. And no more data mining by companies with dubious intentions. We want you to dance like nobody’s watching and search like nobody’s watching.

So this was a good solution for my friend: He could still keep his Google search results while using a search engine that respects his privacy

But that wasn’t enough for me. You know I love self-hosting, so I wanted to find a solution I could run inside my own server because that’s the only way I can be 100% sure that my searches are private and no logs are kept on my searches, So I went to my second option: Searx

Searx

According to their Wikipedia

searx (/sɜːrks/) is a free metasearch engine, available under the GNU Affero General Public License version 3, with the aim of protecting the privacy of its users. To this end, searx does not share users’ IP addresses or search history with the search engines from which it gathers results. Tracking cookies served by the search engines are blocked, preventing user-profiling-based results modification. By default, searx queries are submitted via HTTP POST, to prevent users’ query keywords from appearing in webserver logs. searx was inspired by the Seeks project, though it does not implement Seeks' peer-to-peer user-sourced results ranking.

…

Any user may run their own instance of searx, which can be done to maximize privacy, to avoid congestion on public instances, to preserve customized settings even if browser cookies are cleared, to allow auditing of the source code being run, etc.

And that’s what I wanted: To host my own Searx instance on my server. And nicely enough, they supported Docker out of the box :)

So I created my own docker-compose based on their docker-compose:

version: '3.7'

services:

 filtron:
 container_name: filtron
 image: dalf/filtron
 restart: always
 ports:
 - 4040:4040
 - 4041:4041
 command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target 0.0.0.0:8082
 volumes:
 - ./rules.json:/etc/filtron/rules.json:rw
 read_only: true
 cap_drop:
 - ALL
 network_mode: host

 searx:
 container_name: searx
 image: searx/searx:latest
 restart: always
 command: -f
 volumes:
 - ./searx:/etc/searx:rw
 environment:
 - BIND_ADDRESS=0.0.0.0:8082
 - BASE_URL=https://myurl.com/
 - MORTY_URL=https://myurl.com/
 - MORTY_KEY=mysupersecretkey
 cap_drop:
 - ALL
 cap_add:
 - CHOWN
 - SETGID
 - SETUID
 - DAC_OVERRIDE
 network_mode: host

 morty:
 container_name: morty
 image: dalf/morty
 restart: always
 ports:
 - 3000:3000
 command: -listen 0.0.0.0:3000 -timeout 6 -ipv6
 environment:
 - MORTY_KEY=mysupersecretkey
 logging:
 driver: none
 read_only: true
 cap_drop:
 - ALL
 network_mode: host

 searx-checker:
 container_name: searx-checker
 image: searx/searx-checker
 restart: always
 command: -cron -o html/data/status.json http://localhost:8082
 volumes:
 - searx-checker:/usr/local/searx-checker/html/data:rw
 network_mode: host

volumes:
 searx-checker:

And that was it! I had my own Searx instance, that uses Google, Bing, Yahoo, DuckDuckGo and many other sources to search around the web.

Don’t want to host your own instance? Use a public one!

Searx has a lot of public instances on their website, in case you don’t want to self-host your instance but still want all the benefits of using Searx. You can check the list here: https://searx.space/

Conclusion

I really like DuckDuckGo. I think it is a very good project that takes privacy to the hands of non-technical people, but I also know that “You can’t beat Google when it comes to online search”¹. It is definitely possible to get good search results using privacy oriented alternatives, and in the end, it is a very cool and rewarding experience.

I seriously recommend you to use https://startpage.com, one of the instances listed in https://searx.space, or better yet, if you have the knowledge and the resources, to self-host your own Searx instance and start searching the web without a big corporation watching every move you make.

Stay private.

Taken from the Startpage website ↩︎

De-Google my blog - How to blog in 2020 without Google

Wed, 20 May 2020 10:41:56 -0300

Hi everyone!

Right now I have Google almost completely out of my life, but some of the top commentaries of my posts in /r/degoogle and /r/selfhosted were “Your blog still uses google for resources lol”, so I needed to change that.

Shame.

In my old blog, the features that used Google where:

Disquss comments
The Ghost theme

Before we begin, I want to let you know that all these fixes have been applied, so you are currently experiencing the final result.

Fixing comments

I was using disquss to handle comments, since it is what everyone recommends. I checked the network resources on my site and found something horrible: A bunch of random calls to a bunch of external addresses, not just Google. Since I care about my reader’s privacy, disquss had to go. Someone in /r/degoogle suggested “Commento”, and it looked like it was exactly what I needed: A free and opensource, self-hosted alternative to disquss, and it also had an official docker release!

According to their documentation:

version: '3'

services:
 server:
 image: registry.gitlab.com/commento/commento
 restart: always
 ports:
 - 5000:8080
 environment:
 COMMENTO_ORIGIN: https://commento.rogs.me
 COMMENTO_PORT: 8080
 COMMENTO_POSTGRES: postgres://postgres:mysupersecurepassword@db:5432/commento?sslmode=disable
 COMMENTO_SMTP_HOST: my-mail-host.com
 COMMENTO_SMTP_PORT: 587
 COMMENTO_SMTP_USERNAME: mysmtpusername@mail.com
 COMMENTO_SMTP_PASSWORD: mysmtppassword
 COMMENTO_SMTP_FROM_ADDRESS: mysmtpfromaddress@mail.com
 depends_on:
 - db
 db:
 image: postgres
 restart: always
 environment:
 POSTGRES_DB: commento
 POSTGRES_USER: postgres
 POSTGRES_PASSWORD: mysupersecurepassword
 volumes:
 - postgres_data_volume:/var/lib/postgresql/data

volumes:
 postgres_data_volume:

I created an NGINX reverse proxy for port 5000 and that was it! Commento was up and running without much issue.

Then, I configured my blog and added the simple universal snippet on my blog posts template pages:

<script defer src="https://commento.rogs.me/js/commento.js"></script>
<div id="commento"></div>

Is that it?

Yes, as easy as that. Comments were up and running in less than 20 mins, with no random external resources. Sweet!

I could even import my old disquss comments in Commento! I was a bit sad to lose them, but they were just fine!

So now that my comments were ready, I could move forward to fixing Ghost

The Ghost theme

This was quite simple. I forked the git repo for my blog theme and began removing everything regarding Google fonts. You can check the final results here: https://git.rogs.me/me/blog.rogs.me-ghost-theme

But that’s not entirely it!

My ghost blog was big and bloated, and I wasn’t really enjoying it anymore, so I wanted to move it to something more static, fast, and reliable, so I moved everything to Hugo!

What is Hugo?

According to their website:

Hugo is one of the most popular open-source static site generators. With its amazing speed and flexibility, Hugo makes building websites fun again.

So it is a static site generator, that uses .md files for content.

Why did I chose Hugo?

Hugo needs no dependencies. I just had to do sudo pacman -S hugo and no further dependencies were needed
Hugo doesn’t need a database since it is static. That means that my blog could load A LOT faster (and it does!)
Hugo uses a lot less resources than Ghost. For Ghost I needed a docker running with a database, with Hugo I just serve the files directly with NGINX, just like a regular plain HTML website.

And that is what you are seeing right now!

This blog is 100% running with Hugo. Migration was super easy, since Ghost also uses Markdown files. I just needed to match the URLs so old posts wouldn’t break and comments worked like they did before. I chose a simple template, migrated, deployed to my server and that was it!

You can check the code for my blog here: https://gitlab.com/rogs/rogs.me

My theme: https://github.com/athul/archie

I was pretty satisfied with the migration and how things were coming along.

One extra thing: Matomo Analytics

For Analytics, of course I wasn’t going to use Google Analytics, so Matomo was an easy choice. Here is my configuration:

version: "3"

services:
 app:
 image: matomo:latest
 restart: always
 links:
 - db
 volumes:
 - "./config:/var/www/html/config:rw"
 - "./logs:/var/www/html/logs"
 ports:
 - "9000:80"

 db:
 image: mariadb:latest
 restart: always
 volumes:
 - "./mysql/runtime2:/var/lib/mysql"
 environment:
 - "MYSQL_DATABASE=matomo"
 - "MYSQL_ROOT_PASSWORD=mysupersecurepassword"
 - "MYSQL_USER=matomo"
 - "MYSQL_PASSWORD=anothersupersecurepassword"

Again, another reverse proxy for port 9000 and Matomo was up and running!

My blog stats in Matomo

Matomo has everything I need, while respecting the users’ privacy. If you haven’t used it before, you should definitely check it out! I have used Google Analytics before, but Matomo seems more powerful to me.

Conclusion

It isn’t easy to run a website outside of Google, but with a little dedication it is possible. With tools like Matomo and Commento you can easily respect your user’s privacy and get away from Google’s “big brotherness”.

If you have any further suggestions, I’m always looking for more things to self-host and separate from big corporations.

Until next time!

How I manage multiple development environments in my Django workflow using Docker compose

Wed, 13 May 2020 11:36:48 -0300

Hi everyone!

Last week I was searching how to manage multiple development environments with the same docker-compose configuration for my Django workflow. I needed to manage a development and a production environment, so this is what I did.

Some descriptions on my data:

I had around 20 env vars, but some of them where shared among environments.
I wanted to do it with as little impact as possible.

First, docker-compose help command

The first thing I did was run a simple docker-compose --help, and it returned this:

Define and run multi-container applications with Docker.

Usage:
 docker-compose [-f <arg>...] [options] [COMMAND] [ARGS...]
 docker-compose -h|--help

Options:
 -f, --file FILE Specify an alternate compose file
 (default: docker-compose.yml)
# more not necessary stuff
 --env-file PATH Specify an alternate environment file

I went with the -f flag, because I also wanted to run some docker images for development. By using the -f flag I could create a base compose file with the shared env vars (docker-compose.yml) and another one for each of the environments (prod.yml and dev.yml)

So I went to town. I kept the shared variables inside docker-compose.yml and added the specific variables and configuration to prod.yml and dev.yml

docker-compose.yml:

version: "3"

services:
 app:
 build:
 context: .
 ports:
 - "8000:8000"
 volumes:
 - ./app:/app
 command: >
 sh -c "python manage.py migrate && python manage.py runserver 0.0.0.0:8000"
 environment:
 - myvar1=myvar1
 - myvar2=myvar2
 ...
 - myvarx=myvarx

Since I’m going to connect to a remote RDS and a remote Redis, in my prod.yml, I don’t need to define a Postgres or Redis image:


version: "3"
services:
 app:
 environment:
 # DB connections
 - DB_HOST=my-host
 - DB_NAME=db-name
 - DB_USER=db-user
 - DB_PASS=mysupersecurepassword
 ...

For dev.yml I added the Postgres database image and Redis image:

version: "3"

services:
 app:
 depends_on:
 - db
 - redis
 environment:
 # Basics
 - DEBUG=True
 # DB connections
 - DB_HOST=db
 - DB_NAME=app
 - DB_USER=postgres
 - DB_PASS=supersecretpassword
 ...
 db:
 image: postgres:10-alpine
 environment:
 - POSTGRES_DB=app
 - POSRGRES_USER=postgres
 - POSTGRES_PASSWORD=supersecretpassword
 links:
 - redis:redis

 redis:
 image: redis:5.0.7
 expose:
 - "6379"

And to run it between environments, all I have to do is:

# For production
docker-compose -f docker-compose.yml -f prod.yml up

# For development
docker-compose -f docker-compose.yml -f dev.yml up

That’s it! I have multiple docker-compose files for all my environments, but I could go even further.

Improving the solution

Improving the base docker-compose.yml file

I liked the way it looked, but I knew I could go deeper. A bunch of vars inside the base docker-compose.yml looked weird, and made the file a little unreadable. So again, I went to the docker-compose documentation and found what I needed: env files in docker-compose.

So I created a file called globals.env, and moved all the global env vars to that file:

myvar1=myvar1
mivar2=myvar2
...

And on the docker-compose.yml file I called the globals.env file:

 app:
 env_file: globals.env

This is the final result:

version: "3"

services:
 app:
 build:
 context: .
 ports:
 - "8000:8000"
 volumes:
 - ./app:/app
 command: >
 sh -c "python manage.py migrate && python manage.py runserver 0.0.0.0:8000"
 env_file: globals.env

Improving the running command

As I mentioned before, I wanted as little impact as possible, and docker-compose -f docker-compose.yml -f envfile.yml up was a bit long for me. So I created a couple of bash files to ease the ingestion of docker-compose files:

prod:

#!/usr/bin/env bash
# Run django as production
docker-compose -f docker-compose.yml -f prod.yml "$@"

dev:

#!/usr/bin/env bash
# Run django as development
docker-compose -f docker-compose.yml -f dev.yml "$@"

The "$@" means “Append all extra arguments here”, so if I ran the dev command with the up -d arguments, the full command would be docker-compose -f docker-compose.yml -f development.yml up -d, so it is exactly what I wanted

A quick permissions management:

chmod +x prod dev

And now I could run my environments as:

./dev up
./prod up

All good?

I was satisfied with this solution. I could run both environments wherever I want with only one command instead of moving env vars all over the place. I could go even further by moving the environment variables of each file to its own .env file, but I don’t think that’s needed for the time being. At least I like to know that I can do that down the road if it is necessary

Secure your Django API from DDoS attacks with NGINX and fail2ban

Sun, 26 Apr 2020 11:36:39 -0300

Hello everyone!

Last week our Django API, hosted on an Amazon EC2 server was attacked by a botnet farm, which took our services down for almost the entire weekend. I’m not going to lie, it was a very stressful situation, but at the same time we learned a lot about how to secure our server from future DDoS attacks.

For our solution we are using the rate-limiting functionality from NGINX and fail2ban, a program that bans external APIs when they break a certain set of rules. Let’s start!

NGINX configuration

In NGINX is simple, we just need to configure the rate-limiting on our website level.

We are using Django with the Django REST framework, so we went with a configuration of 5 requests per second (5r/s) with extra bursts of 5 requests. This works fine with Django, but you might need to tweak it for your configuration.

This allows a total of 10 requests (5 processing and 5 in queue) before our API returns a 503 server error

limit_req_zone $binary_remote_addr zone=one:20m rate=5r/s;

server {
 limit_req zone=one burst=5 nodelay;
 # ...
}

Let me explain what is going on here:

First, we are setting up the limit_req_zone.
- The $binary_remote_addr specifies that we are registering the requests by IP
- zone is the name of the limit_req_zone, and 20m is its total size
- rate is the permitted rate per IP address. Here we are allowing 5r/s, which translates to 1 request every 200ms.
Then, inside the server directive we use the limit_req_zone referencing it by name.
- zone specifies the limit_req_zone to be used, in this case, we named it one
- burst is the number of requests that can be queued by the same IP per second, giving us a grand total of 10 requests per IP (5 in process and 5 in queue)
- We want our queued requests to be processed as soon as possible, by giving it the nodelay directive when a slot is freed, an item in the queue is going to be processed

If a client goes over the 10 requests limit, NGINX is going to return a 503 (Service Unavailable) error and will record the attempt in the error log. And here is where it becomes interesting :)

If you want to read more about NGINX rate limiting, you can check this link https://www.nginx.com/blog/rate-limiting-nginx/

fail2ban

According to their documentation, fail2ban is:

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs – too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

We are going to use fail2ban to scan our NGINX error logs, and if it finds too many occurrences of the same IP, it will ban it for an x amount of time.

First, we need to install fail2ban:

In Debian based distros:

$ sudo apt install fail2ban

After installing fail2ban, we need to configure our local configuration file. In fail2ban they are called “jails”. We can make a local copy with the following command:

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Once we have our local configuration file, we can create our own directive. At the bottom of the /etc/fail2ban/jail.local file, add this configuration:

[nginx-req-limit]

enabled = true
filter = nginx-limit-req
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/error.log
findtime = 5
maxretry = 2
bantime = 300

Here is what’s happening:

First, we name our filter. In this case, our filter is called [nginx-req-limit]
Then we enable our filter with enabled = true
We set our filter to be nginx-limit-req. This is a default filter from fail2ban
We define the action that fail2ban is going to do when it finds a suspicious IP. In this case, it will process it with iptables-multiport and block the http and https ports for that IP address
We tell fail2ban which logfile it is going to scan. In our case, since we are using NGINX our log file is /var/log/nginx/error.log
findtime is the time in which fail2ban is going to limit the searches, and maxretry is the max amount of times an IP can appear on the log before it is banned. In our case, if an IP address appears 2 times in less than 5 seconds on our error log, fail2ban is going to ban it.
And finally, we set our bantime to 300 seconds (5 minutes).

And that’s it! We need to restart fail2ban to see if everything is working correctly:

$ sudo systemctl restart fail2ban.service

To check if the service is running, you can run:

$ sudo fail2ban-client status

It should return something like:

Status
|- Number of jail: 2
`- Jail list: nginx-req-limit, sshd

To know more, you can run:

$ sudo fail2ban-client status nginx-req-limit

And it will return something like:

|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/nginx/error.log
`- Actions
 |- Currently banned: 1
 |- Total banned: 2
 `- Banned IP list: 1.2.3.4

And that’s it! It is fully working, you are now protected from DDoS attacks dynamically.

Django configuration

For Django things are easy. There is no configuration needed, but if you use the Admin or REST viewer in any form, you might want to run a separate instance just for that. In our experience, we got blocked a bunch of times so now we are running the admin and some cron jobs on a second medium EC2 instance.

Bonus

What if I want to ban an IP address forever?

We can create another jail in fail2ban to achieve this. On our /etc/fail2ban/jail.local file, add this:

[man-ban]

enabled = true
filter = nginx-limit-req
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/error.log
findtime = 1
bantime = 2678400
maxretry = 99999

This jail wont pick up anything because we are expecting 99999 errors in less than a second, but it will ban anyone for 1 month. Once we restart fail2ban again, you can manually ban IP addresses with that jail:

$ sudo fail2ban-client set man-ban banip 1.2.3.4

If you check the status, you will see something like:

|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/nginx/error.log
`- Actions
 |- Currently banned: 1
 |- Total banned: 1
 `- Banned IP list: 1.2.3.4

The IP 1.2.3.4 will be banned for 1 month. You can unban it with

$ sudo fail2ban-client set man-ban unbanip 1.2.3.4

Conclusion

In these days, DDoS attacks are very common on the internet, so it is common sense to be prepared to defend against them.

In the next delivery we will create a status page for our API, that will let us know if one of the services is down.

Stay tuned!

My mom was always right | Rant on social media

Sat, 25 Apr 2020 12:35:53 -0300

My mom always hated social media. My bother and I always made fun of her because she was always late to all the news. Her main reason against social media was “why would I want everyone to know what I’m doing? And why should I care what they are doing?”. I didn’t understand at the time, but now I do.

I remember when I was 13 years old social media started ramping up. I created a MySpace account to go with the flow. I won’t lie, I liked MySpace a lot: creating a website that “defined me”, sharing my music, posting funny pictures and checking my friends’ profiles. It all seemed pretty cool and innovative.

Then it came to Facebook, where you couldn’t create your own site or share music players like in MySpace, but you had a wall and your friends could leave messages on your wall! How cool was that? You could share pictures, thoughts, opinions, and your friends didn’t have to go to your profile to check it out: Facebook had a feed with all your friends’ posts, so there was no need to visit their profile just to see what they were doing. It sounded very cool at the moment!

After that, Twitter. Microblogging, 140 chars max (now its 280 chars, double of what it was before), interactions with people all around the internet, you didn’t need be friends with someone to send them a tweet or a private message. Discussions, threads, memes…

Instagram. Sharing pictures, stories, following my friends to see their travels, following superstars to see their perfect lifes, ads, paid content.

Stop.

Just stop.

Social media has become too overwhelming in the last couple of years. People are lonelier and more depressed because of social media (link). The FOMO (Fear of missing out) is at an all-time high.

Now that I know all of this, why would I want to be part of something that could make me feel anxiety, depression and have self-esteem issues? That was the question I made to myself around 6 months ago. I consider myself an exaggerated person, so I went full in. The goal was to stop using all social media for 1 month and see the results. So here are my thoughts about the experiment

I feel more relaxed

I don’t have the need to open my phone when I’m at a bus stop or just doing nothing. I don’t care what my friends are posting, I don’t care if an influencer bought ‘x’ thing or traveled to ‘y’ place. Before leaving social media, those things had little impact on me and my daily life, so why should I care?

I have more free time, or time to do more productive stuff

The first week I realized how much time I was wasting using social media, I was wasting between 3 to 4 hours a day in social media, but now I have that time for myself. Now I have built a server for my apartment, I have improved my programming, updated my website, updated and improved my working PC and many other things.

I can appreciate things a lot more

This decision came at the same time as I had to migrate from Venezuela to Uruguay. So, being in a new country I wanted to visit a lot of new places. I went to museums, parks, beaches (in winter, a bit dumb), monuments and many other touristic attractions. It is funny how I was one of the few that enjoyed the moment instead of being neck-deep in my phone. I was free to enjoy the new city I live in.

My “reach to my pocket for my phone” tick stopped

I wasn’t checking my phone as much as before. I could meet and talk to people without my phone being on the table, and I also realized how rude it is to be ignored because everyone at the table is checking Instagram on their phones.

But all of this wasn’t always pretty

I had to make a lot of changes because I depended on social media for many other things:

I installed a Feed aggregator on my PC and added sources for all news I want to watch (and also memes lol). I try to keep it with as few sources as possible, when I see news repeating, I delete the least interesting source. The main difference is that feed aggregators have endings. I check it once a day and never spend more than 10 mins on it.
My girlfriend now has to find all the “Instagram business”. Being foreigners on a strange land we sometimes need supplies from home. We have found a few by word of mouth, but we had to resource back to Instagram and check with groups of local Venezuelans.
I have missed some family pictures, but that is easily fixable. My new cousin was born a month ago, and since I don’t use any type of social media, I asked my uncle to send me some pictures and I now have a bunch of pictures of the baby, my other cousins, and more family members. Now they even send me pictures without me asking! The conversations have become more intimate than before, where I would just swipe on a feed and “double-tap” to like.

Conclusions?

My mom was right, as always. The information overload was fun at first, but then it became overwhelming. Social media has entered our society as a spy and made us dependent on it, and that’s bad. We need to get rid of it.

This experiment started in November 2019 and I can happily say that I left social media for 1 month and never went back. I want to close my Facebook / Instagram accounts (I need to backup my content first) and leave Twitter / LinkedIn because I sometimes use it for work.

I now recommend everyone I know to shut down everything for a while and see how it feels. They might find out that there is a big world out there if they just move their head up and away from their phones.

How to search in a huge table on Django admin

Mon, 17 Feb 2020 17:08:00 -0400

Hello everyone!

We all know that the Django admin is a super cool tool for Django. You can check your models, and add/edit/delete records from the tables. If you are familiar with Django, I’m sure you already know about it.

I was given a task: Our client wanted to search in a table by one field. It seems easy enough, right? Well, the tricky part is that the table has 523.803.417 records.

Wow. 523.803.417 records.

At least the model was not that complex:

On models.py:

class HugeTable(models.Model):
 """Huge table information"""
 search_field = models.CharField(max_length=10, db_index=True, unique=True)
 is_valid = models.BooleanField(default=True)

 def __str__(self):
 return self.search_field

So for Django admin, it should be a breeze, right? WRONG.

The process

First, I just added the search field on the admin.py:

On admin.py:

class HugeTableAdmin(admin.ModelAdmin):
 search_fields = ('search_field', )

admin.site.register(HugeTable, HugeTableAdmin)

And it worked! I had a functioning search field on my admin.

Only one problem: It took 3mins+ to load the page and 5mins+ to search. But at least it was working, right?

WTF?

First, let’s split the issues:

Why was it taking +3mins just to load the page?
Why was it taking +5mins to search if the search field was indexed?

I started tackling the first one, and found it quite easily: Django was getting only 100 records at a time, but it had to calculate the length for the paginator and the “see more” button on the search bar

So near, yet so far

Improving the page load

A quick look at the Django docs told me how to deactivate the “see more” query:

ModelAdmin.show_full_result_count

Set show_full_result_count to control whether the full count of objects should be displayed on a filtered admin page (e.g. 99 results (103 total)). If this option is set to False, a text like 99 results (Show all) is displayed instead.

On admin.py:

class HugeTableAdmin(admin.ModelAdmin):
 search_fields = ('search_field', )
 show_full_result_count = False

admin.site.register(HugeTable, HugeTableAdmin)

That fixed one problem, but how about the other? It seemed I needed to do my paginator.

Thankfully, I found an awesome post by Haki Benita called “Optimizing the Django Admin Paginator” that explained exactly that. Since I didn’t need to know the records count, I went with the “Dumb” approach:

On admin.py:

from django.core.paginator import Paginator
from Django.utils.functional import cached_property

class DumbPaginator(Paginator):
 """
 Paginator that does not count the rows in the table.
 """
 @cached_property
 def count(self):
 return 9999999999

class HugeTableAdmin(admin.ModelAdmin):
 search_fields = ('search_field', )
 show_full_result_count = False
 paginator = DumbPaginator

admin.site.register(HugeTable, HugeTableAdmin)

And it worked! The page was loading blazingly fast :) But the search was still ultra slow. So let’s fix that.

Improving the search

I checked A LOT of options. I almost went with Haystack, but it seemed a bit overkill for what I needed. I finally found this super cool tool: djangoql. It allowed me to search the table by using sql like operations, so I could search by search_field and make use of the indexation. So I installed it:

On settings.py:

INSTALLED_APPS = [
 ...
 'djangoql',
 ...
]

On admin.py:

from django.core.paginator import Paginator
from django.utils.functional import cached_property
from djangoql.admin import DjangoQLSearchMixin

class DumbPaginator(Paginator):
 """
 Paginator that does not count the rows in the table.
 """
 @cached_property
 def count(self):
 return 9999999999

class HugeTableAdmin(DjangoQLSearchMixin, admin.ModelAdmin):
 show_full_result_count = False
 paginator = DumbPaginator

admin.site.register(HugeTable, HugeTableAdmin)

And it worked! By performing the query:

search_field = "my search query"

I get my results in around 1 second.

Is it done?

Yes! Now my client can search by search_field on a table of 523.803.417 records, very easily and very quickly.

I’m planning to post more Python/Django things I’m learning by working with this client, so you might want to stay tuned :)

De-Google my life - Part 5 of ¯ (ツ)_/¯: Backups

Wed, 27 Nov 2019 19:30:00 -0400

Hello everyone! Welcome to the fifth post of my blog series “De-Google my life”. If you haven’t read the other ones you definitely should! (Part 1, Part 2, Part 3, Part 4).

At this point, our server is up and running and everything is working 100% fine, but we can’t always trust that. We need a way to securely backup everything in a place where we can restore quickly if needed.

Backup location

My backups location was an easy choice. I already had a Wasabi subscription, so why not use it to save my backups as well?

I created a new bucket on Wasabi, just for my backups and that was it.

There is my bucket, waiting for my sweet sweet backups

Security

Just uploading everything to Wasabi wasn’t secure enough for me, so I’m encrypting my tar files with GPG.

What is GPG?

From their website:

GnuPG (GNU Privacy Guard) is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command-line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).

So, by using GPG I can encrypt my files before uploading to Wasabi, so if for any reason there is a leak, my files will still be protected by my GPG password.

Script

Nextcloud

#!/bin/sh

# Nextcloud
echo "======================================"
echo "Backing up Nextcloud"
cd /var/lib/docker/volumes/nextcloud_nextcloud/_data/data/roger

NEXTCLOUD_FILE_NAME=$(date +"%Y_%m_%d")_nextcloud_backup
echo $NEXTCLOUD_FILE_NAME

echo "Compressing"
tar czf /root/$NEXTCLOUD_FILE_NAME.tar.gz files/

echo "Encrypting"
gpg --passphrase-file the/location/of/my/passphrase --batch -c /root/$NEXTCLOUD_FILE_NAME.tar.gz

echo "Uploading"
aws s3 cp /root/$NEXTCLOUD_FILE_NAME.tar.gz.gpg s3://backups-cloud/Nextcloud/$NEXTCLOUD_FILE_NAME.tar.gz.gpg --endpoint-url=https://s3.wasabisys.com

echo "Deleting"
rm /root/$NEXTCLOUD_FILE_NAME.tar.gz /root/$NEXTCLOUD_FILE_NAME.tar.gz.gpg

A breakdown

#!/bin/sh

This is to specify this is a shell script. The standard for this type of scripts.

# Nextcloud
echo "======================================"
echo "Backing up Nextcloud"
cd /var/lib/docker/volumes/nextcloud_nextcloud/_data/data/roger

NEXTCLOUD_FILE_NAME=$(date +"%Y_%m_%d")_nextcloud_backup
echo $NEXTCLOUD_FILE_NAME

Here, I cded to where my Nextcloud files are located. On De-Google my life part 3 I talk about my mistake of not setting my volumes correctly, that’s why I have to go to this location. I also create a new filename for my backup file using the current date information.

echo "Compressing"
tar czf /root/$NEXTCLOUD_FILE_NAME.tar.gz files/

echo "Encrypting"
gpg --passphrase-file the/location/of/my/passphrase --batch -c /root/$NEXTCLOUD_FILE_NAME.tar.gz

Then, I compress the file into a tar.gz file. After, it is where the encryption happens. I have a file located somewhere in my server with my GPG password, it is used to encrypt my files using the gpg command. The command then returns a “filename.tar.gz.gpg” file, which is then uploaded to Wasabi.

echo "Uploading"
aws s3 cp /root/$NEXTCLOUD_FILE_NAME.tar.gz.gpg s3://backups-cloud/Nextcloud/$NEXTCLOUD_FILE_NAME.tar.gz.gpg --endpoint-url=https://s3.wasabisys.com

echo "Deleting"
rm /root/$NEXTCLOUD_FILE_NAME.tar.gz /root/$NEXTCLOUD_FILE_NAME.tar.gz.gpg

Finally, I upload everything to Wasabi using awscli and delete the file, so I keep my filesystem clean.

Is that it?

This is the basic setup for backups, and it is repeated among all my apps, with few variations

Dokuwiki

# Dokuwiki
echo "======================================"
echo "Backing up Dokuwiki"
cd /data/docker

DOKUWIKI_FILE_NAME=$(date +"%Y_%m_%d")_dokuwiki_backup

echo "Compressing"
tar czf /root/$DOKUWIKI_FILE_NAME.tar.gz dokuwiki/

echo "Encrypting"
gpg --passphrase-file the/location/of/my/passphrase --batch -c /root/$DOKUWIKI_FILE_NAME.tar.gz

echo "Uploading"
aws s3 cp /root/$DOKUWIKI_FILE_NAME.tar.gz.gpg s3://backups-cloud/Dokuwiki/$DOKUWIKI_FILE_NAME.tar.gz.gpg --endpoint-url=https://s3.wasabisys.com

echo "Deleting"
rm /root/$DOKUWIKI_FILE_NAME.tar.gz /root/$DOKUWIKI_FILE_NAME.tar.gz.gpg

Pretty much the same as the last one, so here is a quick explanation:

cd to a folder
tar it
encrypt it with gpg
upload it to a Wasabi bucket
delete the local files

Ghost

# Ghost
echo "======================================"
echo "Backing up Ghost"
cd /root

GHOST_FILE_NAME=$(date +"%Y_%m_%d")_ghost_backup

docker container cp ghost_ghost_1:/var/lib/ghost/ $GHOST_FILE_NAME
docker exec ghost_db_1 /usr/bin/mysqldump -u root --password=my-secure-root-password ghost > /root/$GHOST_FILE_NAME/ghost.sql

echo "Compressing"
tar czf /root/$GHOST_FILE_NAME.tar.gz $GHOST_FILE_NAME/

echo "Encrypting"
gpg --passphrase-file the/location/of/my/passphrase --batch -c /root/$GHOST_FILE_NAME.tar.gz

echo "Uploading"
aws s3 cp /root/$GHOST_FILE_NAME.tar.gz.gpg s3://backups-cloud/Ghost/$GHOST_FILE_NAME.tar.gz.gpg --endpoint-url=https://s3.wasabisys.com

echo "Deleting"
rm -r /root/$GHOST_FILE_NAME.tar.gz $GHOST_FILE_NAME /root/$GHOST_FILE_NAME.tar.gz.gpg

A few differences!

docker container cp ghost_ghost_1:/var/lib/ghost/ $GHOST_FILE_NAME
docker exec ghost_db_1 /usr/bin/mysqldump -u root --password=my-secure-root-password ghost > /root/$GHOST_FILE_NAME/ghost.sql

Something new! Since on Ghost I didn’t mount any volumes, I had to get the files directly from the docker container and then get a DB dump for safekeeping. Nothing too groundbreaking, but worth explaining.

All done! How do I run it automatically?

Almost done! I just need to run everything automatically, so I can just set it and forget it. Just like before, whenever I want to run something programatically, I will use a cronjob:

0 0 * * 1 sh /opt/backup.sh

This means:
Please, can you run this script every Monday at 0:00? Thanks, server :*

Looking good! Does it work?

Look for yourself :)

Nextcloud

Dokuwiki

Ghost

Where do we go from here?

I don’t know, I only know this project is not over. I have other apps running (Wallabag, Matomo and Commento), but I don’t find them as interesting for a new post (of course, if you still want to read about it I will gladly do it).

I hope you all learned from and enjoyed this experience with me because I sure have! I’ve had amazing feedback from the community and that’s what always kept this project on my mind.

A big thank you to /r/selfhosted and more recently /r/degoogle, I learned A LOT from those communities. If you liked these series, you will definitely like those subreddits.

I’m looking to transform all this knowledge to educational talks soon, so if you are in the Montevideo area, stay tuned for a possible meetup! (I know this is a longshot in a country of around 4 million people, but worth trying hehe).

Again, thank you for joining me on this journey and stay tuned! There is more content coming :)

De-Google my life - Part 4 of ¯ (ツ)_/¯: Dokuwiki & Ghost

Wed, 20 Nov 2019 19:29:00 -0300

Hello everyone! Welcome to the fourth post of my blogseries “De-Google my life”. If you haven’t read the other ones you definitely should! (Part 1, Part 2, Part 3).

First of all, sorry for the long wait. I had a couple of IRL things to take care of (we will discuss those in further posts, I promise ( ͡° ͜ʖ ͡°)), but now I have plenty of time to work on more blog posts and other projects. Thanks for sticking around, and if you are new, welcome to this journey!

On this post, we get to the fun part: What am I going to do to improve my online presence? I began with the simplest answer: A blog (this very same blog you are reading right now lol)

Ghost

Ghost is an open source, headless blogging platform made in NodeJS. The community is quite large and most importantly, it fitted all my requirements (Open source and runs in a docker container).

For the installation, I kept it simple. I went to the DockerHub page for Ghost and used their base docker-compose config for myself. This is what I came up with:

version: '3.1'

services:

 ghost:
 image: ghost:1-alpine
 restart: always
 ports:
 - 7000:2368
 environment:
 database__client: mysql
 database__connection__host: db
 database__connection__user: root
 database__connection__password: my_super_secure_mysql_password
 database__connection__database: ghost
 url: https://blog.rogs.me

 db:
 image: mysql:5.7
 restart: always
 environment:
 MYSQL_ROOT_PASSWORD: my_super_secure_mysql_password

Simple enough. The base ghost image and a MySQL db image. Simple, readable, functional.

For the NGINX configuration I used a simple proxy:

server {
 listen 80;
 listen [::]:80;
 server_name blog.rogs.me;
 add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;

 location / {
 proxy_pass http://127.0.0.1:7000;
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto https;
 proxy_redirect off;
 proxy_read_timeout 5m;
 }
 client_max_body_size 10M;
}

What does this mean? This config is just “Hey NGINX! proxy port 7000 through port 80 please, thanks”

And that was it. So simple, there’s nothing much to say. Just like the title of the series,¯\_(ツ)_/¯

After that, it was just configuration and setup. I modified this theme to match a little more with my website colors and themes. I think it came out pretty nice :)

Dokuwiki

I have always admired tech people that have their own wikis. It’s like a place where you can find more about them in a fast and easy way: What they use, what their configurations are, tips, cheatsheets, scripts, anything! I don’t consider myself someone worthy of a wiki, but I wanted one just for the funsies.

While doing research, I found Dokuwiki, which is not only open source, but it uses no database! Everything is kept in files which compose your wiki. P R E T T Y N I C E.

On this one, DockerHub had no oficial Dokuwiki image, but I used a very good one from the user mprasil. I used his recommended configuration (no docker-compose needed since it was a single docker image):

docker run -d -p 8000:80 --name my_wiki \
 -v /data/docker/dokuwiki/data:/dokuwiki/data \
 -v /data/docker/dokuwiki/conf:/dokuwiki/conf \
 -v /data/docker/dokuwiki/lib/plugins:/dokuwiki/lib/plugins \
 -v /data/docker/dokuwiki/lib/tpl:/dokuwiki/lib/tpl \
 -v /data/docker/dokuwiki/logs:/var/log \
 mprasil/dokuwiki

Some mistakes were made, again
I was following instructions blindly, I’m dumb. I mounted the Dokuwiki files on the /data/docker directory, which is not what I wanted. In the process of working on this project, I have learned one big thing:

Always. check. installation. folders and/or mounting points

Just like the last one, I didn’t want to fix this just for the posts, I’m writing about my experience and of course it wasn’t perfect.

Let’s continue. Once the docker container was running, I configured NGINX with another simple proxy redirect:

server {
 listen 80;
 listen [::]:80;
 server_name wiki.rogs.me;
 add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;

 location / {
 proxy_pass http://127.0.0.1:8000;
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto https;
 proxy_redirect off;
 proxy_read_timeout 5m;
 }
 client_max_body_size 10M;
}

Just as the other one: “Hey NGINX! Foward port 8000 to port 80 please :) Thanks!”

Simple dokuwiki screen, nothing too fancy

Again, just like the other one, configuration and setup and voila! Everything was up and running.

Conclusion

I was getting the hang of this “Docker” flow. There were mistakes, yes, but nothing too critical that would hurt me in the long run. Everything was running smoothly, and just with a few commands I had everything running and proxied. Just what I wanted.

Stay tuned for the next delivery, where I’m going to talk about GPG encrypted backups to an external Wasabi “S3 like” bucket. I promise this one won’t take 8 months.

Click here for part 5

De-Google my life - Part 3 of ¯ (ツ)_/¯: Nextcloud & Collabora

Thu, 28 Mar 2019 19:07:00 -0400

Hello everyone! Welcome to the third post of my blogseries “De-Google my life”. If you haven’t read the other ones you definitely should! (Part 1, Part 2). Today we are moving forward with one of the most important apps I’m running on my servers: Nextcloud. A big part of my Google usage was Google Drive (and all it’s derivate apps). With Nextcloud I was looking to replace:

Docs
Drive
Photos
Contacts
Calendar
Notes
Tasks
More (?)

I also wanted some new features, like connecting to a S3 bucket directly from my server and have a web interface to interact with it.

The first step is to set up the server. I’m not going to explain that again, but if you want to read more about that, I explain it a bit better on the second post

Nextcloud

Installation

For my Nextcloud installation I went straight to the official docker documentation and extracted this docker compose:

version: '2'

volumes:
 nextcloud:
 db:

services:
 db:
 image: mariadb
 command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
 restart: always
 volumes:
 - db:/var/lib/mysql
 environment:
 - MYSQL_ROOT_PASSWORD=my_super_secure_root_password
 - MYSQL_PASSWORD=my_super_secure_password
 - MYSQL_DATABASE=nextcloud
 - MYSQL_USER=nextcloud

 app:
 image: nextcloud
 ports:
 - 8080:80
 links:
 - db
 volumes:
 - nextcloud:/var/www/html
 restart: always

Some mistakes were made
I forgot to mount the volumes and Docker automatically mounted them in /var/lib/docker/volumes/. This was a small problem I haven’t solved yet because it hasn’t bringed any serious issues. If someone knows if this is going to be problematic in the long run, please let me know. I didn’t wanted to fix this just for the posts, I’m writing about my experience and of course it wasn’t perfect.

I created the route /opt/nextcloud to keep my docker-compose file and finally ran:

docker-compose pull
docker-compose up -d

It was that simple! The app was running on port 8080! But that is not what I wanted. I wanted it running on port 80 and 443. For that I used a reverse proxy with NGINX and Let’s Encrypt

NGINX configuration

Configuring NGINX is dead simple. Here is my configuration

/etc/nginx/sites-available/nextcloud:

 server {
 listen 80 default_server;
 listen [::]:80 default_server;
 server_name myclouddomain.com;
 return 301 https://$server_name$request_uri;
 }

 server {
 listen 443 ssl;
 server_name myclouddomain.com;
 add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;

 ssl on;
 ssl_certificate /etc/letsencrypt/live/myclouddomain.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/myclouddomain.com/privkey.pem;

 location / {
 proxy_pass http://127.0.0.1:8080;
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto https;
 proxy_redirect off;
 proxy_read_timeout 5m;
 }

 location = /.well-known/carddav {
 return 301 $scheme://$host/remote.php/dav;
 }
 location = /.well-known/caldav {
 return 301 $scheme://$host/remote.php/dav;
 }
 # Set the client_max_body_size to 1000M so NGINX doesn't cut uploads
 client_max_body_size 1000M;
 }

Then I created a soft link from the configuration file to the “sites enabled” folder:

ln -s /etc/nginx/sites-available/nextcloud /etc/nginx/sites-enabled

and that was it!

In this configuration you will see that I’m already referencing the SSL certificates even though they don’t exist yet. We are going to create them on the next step.

Let’s Encrypt configuration

To generate the SSL certificates first you need to point your domain/subdomain to your server. Every DNS manager is different, so you will have to figure that out. The command I will use throught this blog series to create certificates is the following:

sudo -H certbot certonly --nginx-d mydomain.com

The first time you run Let’s Encrypt, you have to configure some stuff. They will ask you for your email and some questions. Input that information and finish the process.

To enable automatic SSL certificates renovation, create a new cron job (crontab -e) with the following information:

0 3 * * * certbot renew -q

This will run every morning at 3AM and check if any of your domains needs to be renewed. If they do, it will renew it.

At the end, you should be able to visit https://myclouddomain.com and be greeted with a nice NextCloud screen:

Beautiful yet frustrating blue screen

Nextcloud configuration

In this part I got super stuck. I had everything up and running, but I couldn’t get my database to connect. It was SUPER FRUSTRATING. This is why I had failed:

Since in my docker-compose file I called the MariaDB docker db, the database host was not localhost but db.

Once that was fixed, Nextcloud was 100% ready to be used!

After that I went straight to “Settings/Basic settings” and noticed that my background jobs were set to “Ajax”. That’s not good, because if I don’t open the site, the tasks will never run. I changed it to “Cron” and created a new cron on my server with the following information:

*/15 * * * * /usr/bin/docker exec --user www-data nextcloud_app_1 php cron.php

This will run the Nextcloud cronjob in the docker machine every 15 mins.

Then, in “Settings/Overview” I noticed a bunch of errors on the “Security & setup warnings” part. Those were very easy to fix, but since all installations aren’t the same I won’t go deep into this. DuckDuckGo is your friend.

Extra stuff

The Nextcloud apps store is filled with some interesting applications. The ones I have installed are:

But you can add as many as you want! You can check them out here

Collabora

Now that NextCloud was up and running, I needed my “Google Docs” part. Enter Collabora!

Installation

If you don’t know what it is, Collabora is like Google Docs / Sheets / Slides but free and open source. You can check more about the project here

This was a very easy installation. I ran it directly with docker:

docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=mynextclouddomain.com' --restart always --cap-add MKNOD collabora/code

Created a new NGINX reverse proxy

/etc/nginx/sites-available/collabora:

 # Taken from https://icewind.nl/entry/collabora-online/
 server {
 listen 443 ssl;
 server_name office.mydomain.com;

 ssl_certificate /etc/letsencrypt/live/office.mydomain.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/office.mydomain.com/privkey.pem;

 # static files
 location ^~ /loleaflet {
 proxy_pass https://localhost:9980;
 proxy_set_header Host $http_host;
 }

 # WOPI discovery URL
 location ^~ /hosting/discovery {
 proxy_pass https://localhost:9980;
 proxy_set_header Host $http_host;
 }

 # main websocket
 location ~ ^/lool/(.*)/ws$ {
 proxy_pass https://localhost:9980;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "Upgrade";
 proxy_set_header Host $http_host;
 proxy_read_timeout 36000s;
 }

 # download, presentation and image upload
 location ~ ^/lool {
 proxy_pass https://localhost:9980;
 proxy_set_header Host $http_host;
 }

 # Admin Console websocket
 location ^~ /lool/adminws {
 proxy_pass https://localhost:9980;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "Upgrade";
 proxy_set_header Host $http_host;
 proxy_read_timeout 36000s;
 }
 }

Created the SSL certificate for the collabora installation:

sudo -H certbot certonly --nginx-d office.mydomain.com

And finally I created a soft link from the configuration file to the “sites enabled” folder:

ln -s /etc/nginx/sites-available/collabora /etc/nginx/sites-enabled

Pretty easy stuff.

Nextcloud configuration

In Nextcloud I installed “Collabora” from the “Apps” menu. On “Settings/Collabora Online” I added my Collabora URL, applied it and voila!

Sweet Libre Office feel

S3 bucket

One of my biggest motivation for this project was a cheap, long term storgage solution for some files I don’t interact with every day. I’m talking music, movies, videos, ISOS, etc. I used to have a bunch of HDD’s but because of all the power outages in Venezuela, almost all my HDDs have died, and new ones are very expensive here, not to say all the issues we have with importing them from the US.

I wanted to look for something S3 like, but as cheap as possible.

In my investigations I found Wasabi. Not only it was S3 like, but it was dirt cheap. $6 per month for 1TB of data. 1TB OF DATA FOR $6!! I could not believe it!

I created an account and installed the “external storage support” plugin in Nextcloud. After it was installed, I went to “Settings/External Storages” and filled up the information:

My bucket name is “long-term-storage” and my local folder name is “Long term storage”. You will need to generate API keys for the connection.

I applied the changes and that was it! I could not believe how simple it was, so I uploaded a file just to test:

Classic noice meme uploaded in Nextcloud, ready to download in Wasabi. toungue sound Nice

Conclusion

The project is looking good! In one sitting I have replaced almost every Google product and even added a humungus amount of storage (virtually infinite!) to the project. For the next delivery I’ll add new and fun stuff I always wanted to host myself, like a Wiki, a Blog (this very same blog!) and many more!

Stay tuned.

Click here for part 4
Click here for part 5

De-Google my life - Part 2 of ¯ (ツ)_/¯: Servers and Emails

Fri, 22 Mar 2019 21:03:00 -0400

Hello everyone! Welcome to the second post of this blog series that aims to de-google my life as much as possible. If you haven’t read the first one, you should definitely check it out. On this delivery we’ll focus more on code and configurations so I promise you it won’t be as boring :)

Servers configuration

As I mentioned on the previous post, I’ll be using two servers that are going to be configured almost the same, so I’m going to explain it only one time. In order to host my servers I’m using DigitalOcean because I’m very used to their UI, their prices are excelent and they accept Paypal. If you haven’t yet, you should check them out.

To start, I’m using their $5 server which at the time of this writing includes:

Ubuntu 18.04 64 bits
1GB RAM
1 CPU
1000 GB of monthly transfers

Installation

On my first SSH to the server I perform basic tasks such as updating and upgrading the server:

sudo apt update && sudo apt ugrade - y

Then I install some essentials like Ubuntu Common Properties (used to add new repositories using add-apt-repository) NGINX, HTOP, GIT and Emacs, the best text editor in this planet vim sucks

sudo apt install software-properties-common nginx htop git emacs

For SSL certificates I’m going to use Certbot because it is the most simple and usefull tool for it. This one requires some extra steps:

sudo add-apt-repository ppa:certbot/certbot -y
sudo apt update
sudo apt install python-certbot-nginx -y

By default DigitalOcean servers have no swap, so I’ll add it by pasting some DigitalOcean boilerplate on to the terminal:

sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
sudo cp /etc/fstab /etc/fstab.bak
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
sudo sysctl vm.swappiness=10
sudo sysctl vm.vfs_cache_pressure=50
sudo echo "vm.swappiness=10" >> /etc/sysctl.conf
sudo echo "vm.vfs_cache_pressure=50" >> /etc/sysctl.conf

This adds 2GB of swap

Then I set up my firewall with UFW:

sudo ufw allow 22 #SSH
sudo ufw allow 80 #HTTP
sudo ufw allow 443 #HTTPS
sudo ufw allow 25 #IMAP 
sudo ufw allow 143 #IMAP 
sudo ufw allow 993 #IMAPS
sudo ufw allow 110 #POP3 
sudo ufw allow 995 #POP3S
sudo ufw allow 587 #SMTP
sudo ufw allow 465 #SMTPS
sudo ufw allow 4190 #Manage Sieve

sudo ufw enable

Finally, I install docker and docker-compose, which are going to be the main software running on both servers.

# Docker
curl -sSL https://get.docker.com/ | CHANNEL=stable sh
systemctl enable docker.service
systemctl start docker.service

# Docker compose
curl -L https://github.com/docker/compose/releases/download/$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

Now that everything is done, we can continue configuring the first server!

Server #1: Mailcow

For my email I chose Mailcow. Why?

It checks all of my “challenges list” items from last week’s post (open source and dockerized).
The documentation is fantastic, explaining each detail one by one.
It has a huge community behind it.

Installation & Setup

Installation was simple, first I followed the instructions on their official documentation

cd /opt
git clone https://github.com/mailcow/mailcow-dockerized
cd mailcow-dockerized
./generate_config.sh
# The process will ask you for your FQDN to automatically configure NGINX.
# Mine is mail.rogs.me, but yours might be whatever you want

I pointed my subdomain (an A record in Cloudflare) and I finally opened my browser and visited https://mail.rogs.me and there it was, beautiful as I was expecting.

What a beautiful cow

After that I just followed the documentation to configure their Let’s Encrypt docker image, added more records on my DNS and tested a lot with https://www.mail-tester.com/ until I got a good score

My actual score. Everything is perfect in self-hosted-mail-land

I know that sometimes that score doesn’t mean much, but at least is nice to know my email is completely configured.

Backups

Since I keep all my emails local, I didn’t want a huge backup solution for this server, so I went with the DigitalOcean backup, which costs $1 per month. Cheap, reliable and it just works.

Edit Nov 23-26 2019

As of now, I’m not using PIA anymore because they where bought by Kape Technologies, which is known for sending malware through their software and for being scummy in general.. I’m now using Mullvad, which really focuses on security. If you were using PIA, I really recommend you change providers.

Conclusion

With all of this my first server was done, but it was also the easiest. This one was a pretty straightforward installation with nothing fancy going on: No backups, no NGINX configuration, nothing much. On the good side, I had my email working really quick and it was a very satisfying and rewarding experience. This is when the “selfhost everything” bug bit me and this project really started ramp up in speed. On the next post we will talk about the second server, which includes fun stuff as Nextcloud, Collabora, Dokuwiki and many more.

Stay tuned!

Click here for part 3
Click here for part 4
Click here for part 5

De-Google my life - Part 1 of ¯ (ツ)_/¯: Why? How?

Fri, 15 Mar 2019 15:59:00 -0400

Hi everyone! I’m here with my first project of the year. It is almost done, but I think it is time to start documenting everything.

One day I was hanging out with my girlfriend looking for trips to japan online and found myself bombarded by ads that were disturbingly specific. We realized at the moment that Google knows A LOT of us, and we were not happy about that. With my tech knowledge, I knew that there were a lot of alternatives to Google, but first I needed to answer a bigger question:

Why?

I told my techie friends about the craziness I was trying to accomplish and they all answered in unison: Why?

So I came up with the following list:

Privacy. The internet is a scary place if you don’t know what you are doing. I don’t like big corporations knowing everything about me just to sell ads or use my data for whatever they want. I have learned that if something is free it’s because you are the product EXCEPT in opensource (thanks to /u/SnowKissedBerries for that clarification.
Security. I live in a very controlled country (Venezuela). Over here, almost every government agency is looking at you, so using selfhosted alternatives and a VPN is a peace of mind for me and my family.
To learn. Learning all these skills are going to be good for my career as a Backend / DevOps engineer.
Because I can and it is fun. Narrowing it all down, I’m doing this because I can. It might be overkill, dumb, unreliable but it is really fun. Learning new skills is always a good, fun experience, for me at least.

Perfect! I have all the “Whys” detailed, but how am I going to achieve all of this?

How?

First of all, I went to the experts (shout out to /r/selfhosted!) and read all the interesting topics over there that I could use for my selfhostable endeavours. After 1 week of reading and researching, I came with the following setup:

2 servers, each one with the following stack:

Server 1: Mail server
Mailcow for my SMTP / IMAP email server
Server 2: Everything-else server
Nextcloud for my files, calendar, tasks and contacts
Some other apps (?) (More on that for the following posts)

I chose DigitalOcean for the hosting because it is cheap and I have a ton of experience with those servers (I have setup more than 100 servers on their platform).

For VPN I chose PIA. The criteria for this decision was that one of my friends borrowed me his account for ~2 weeks and it worked super quick. Sometimes I didn’t realize I was connected to the VPN on because the internet was super fast.

Some self-imposed challenges

I knew this wasn’t going to be easy, so of course I added more challenges just because ~~I’m dumb~~.

Only use open source software
I wasn’t going to install more proprietary software on my servers. I wanted free and open source alternatives for my setup.
Only use Docker
I had “Learn docker” in my backlog for too long, so I used this opportunity to learn it the hard way.
Use a cheap but reliable backup solution
One of the parts that scared me about having my own servers was the backups. If one of the servers goes down, almost all of my work goes with it, so I needed to have a reliable but cheap backup solution.

Conclusion

This is only the first part, but I’m planning on this being a long and very cool project. I hope I didn’t bore you to death with all my yapping, I promise my next post will be more entertaining with code, server configurations, and all of that good stuff.

Click here for part 2
Click here for part 3
Click here for part 4
Click here for part 5