etsd VS dotfiles

A pretty same setup with a bunch of differences:

1. I'm using a single postgresql database for all apps (each with a different user) on a different server; each app has a different db user

2. I use a minio instance for file/media uploads/serving

3. I mostly use nginx but i'm transitioning new apps to caddy because of automatic integration with let's encrypt and much smaller config for common purposes

4. I use a fab-classic (fabric 1x) script to deploy new versions: https://github.com/spapas/etsd/blob/master/fabfile.py

5. For backup I do a logical db backup once per day via cron (using a script similar to this https://spapas.github.io/2016/11/02/postgresql-backup/)

6. One memcache instance of all apps

7. Each app gets a redis instance (if redis is needed): https://gist.github.com/akhdaniel/04e4bb2df76ef534b0cb982c1d...

8. Use systemd for app control

Yes, you are right on that. If the server is compromised a malicious user may change the client-side code to add a backdoor and steal your private key when you unlock it. He'll be able to steal only the keys that are unlocked while the backdoor stays undetected (not all the data).

The ideal way to resolve that would be to change the service to an API and offer binaries with a correct signature so the user can check and make sure that they get the correct thing. Actually I tried writing the client binaries using electron (https://github.com/spapas/etsd/tree/master/client) but didn't have the time for that :(

You are rigth though, I've added a Risks section to warn for that thingie https://github.com/spapas/etsd/blob/master/README.md#risks

Source: https://github.com/susam/dotfiles/blob/main/shrc#L381

I have a similar setup for my personal and project websites. Some similarities and differences:

* I use Linode VMs ($5/month).

* I too use Debian GNU/Linux.

* The initial configuration of the VM is coded as a shell script: https://github.com/susam/dotfiles/blob/main/linode.sh

* Project-specific or service-specific configuration is coded as individual Makefiles. This takes care of creatng An example: https://github.com/susam/susam.net/blob/main/Makefile

* The software is written in Common Lisp. In case of a personal website or blog, a static website is generated by a Common Lisp program. In case of an online service or web application, the service is written as a Common Lisp program that uses Hunchentoot to process HTTP requests and return HTTP responses.

* I use Nginx too. Nginx serves the static files as well as functions as a reverse proxy when there are backend services involved. Indeed TLS termination is an important benefit it offers. Other benefits include rate limiting requests, configuring an allowlist for HTTP headers to protect the backend service, etc.

I have something similar but a little more elaborate at my ~/bin to ensure that there isn't a severe loss of quality during the conversion: https://github.com/susam/dotfiles/blob/e434b7c/bin/xmp3

I follow a similar but handcrafted approach. I have a dotfiles repo with a setup script that automates the creation or deletion of all the symbolic links: https://github.com/susam/dotfiles/blob/master/setup

So what I do on any new system is just:

  git clone https://github.com/susam/dotfiles.git