My Website Architecture

I won’t get into the weeds on this blog post, but I don’t really care for social media. I much prefer this platform right here. My website, my domain, my kingdom. I hope this encourages someone to learn some HTML, CSS, and maybe dabble in a little bit of DevOps and GitOps. It can be fun for the right person. (Me).

2024-09-16-lab

Applications

On my Windows development PC, I use the following tools….

VSCode: Edit the Markdown docs.
JekyllRB: Ruby Gem to test the markdown to HTML templating locally.
GitHub Desktop: Version control and the start of the deployment pipeline.
cwebp: Google binary to convert images into webp.

GitHub Desktop is a great git wrapper for Windows. Its really easy to create branches, push and pull changes, and anything else Git related.

JekyllRB had a small learning curve, but once I understood how to update and maintain the Ruby Gems and Gemfile it became way easier. I’ve honestly really enjoyed being able to pass in the --livereload command and watch my changes on a seperate monitor.

Converting images from their original format into a webp format is a bit tedious. I was doing it all in powershell but I’ve started to use the ThioJoe cwebpGUI and its a bit easier I guess. I like that it shows me the cwebp command it generates more than anything. I serve these high-quality but compressed images from an Object Storage bucket into a CDN for distribution.

My Akamai Cloud

This cookieless website gets about 2,000 hits per month at the Bunny CDN. I just assume it’s 99.9% bot traffic so really the only person here is me, and that’s perfectly fine with me. I could get away with hosting this site 6 different ways for free, but I enjoy and trust the platform. I use a $5/month Nanode, paired with a $5/month 250GB S3-compatible Object Storage Bucket. As a paying customer, I’m also able to use their DNS Resolvers as my Authoritative Name Servers. Doing all of this on one platform is awesome because they have a Python3 pip package called Linode-CLI that has a huge range of capabilities.

It’s best practice to restrict root access, enforce the use of cryptographic key-pair for ssh access, adjust listening settings on the sshd daemon, and install fail2ban. I’ve done this. But I want to go even further. I’ve setup and enabled the local UFW firewall, setup SSH to be limited to my Tailscale TailNet while still enforcing the SSH Key requirement, installed CrowdSec, a CrowdSec bouncer or four, and finally….

Put my Nanode behind a Cloud Firewall. Yes - I block ICMP traffic before the web server and at the web server.

2024-09-16-cloud-firewall