Hosting My Own Site

For many years, I’ve owned the DNS entry for jakehamby.com, but I had been neglecting to do anything interesting with the domain. About 6 years ago, I paid to host a WordPress blog on a shared hosting provider, then I stopped paying for that and had the URL redirected to Medium, so I could have a blog at the URL.

About 3 weeks ago, I decided that I wanted to self-host my own WordPress blog, on my Raspberry Pi 400, over my gigabit fiber Internet connection, because it uses so little electricity and WordPress and Apache require so little CPU. I also wanted it to support HTTPS and IPv6 access, as well as Google Analytics, Twitter cards, and spam filtering. Here’s how I set it all up.

I bought the Pi 400 last year after becoming obsessed with RISC OS after watching YouTube videos about it, like Dan Wood’s 2021 review, and the series on getting started with RISC OS Direct. I decided to give it a try on my Raspberry Pi 3. I’d previously spent only a few minutes total with RISC OS before deciding there wasn’t anything useful I could do with it.

After watching the YouTube videos I mentioned, and learning as much as I could about both using and developing for RISC OS, it got me very excited about the OS as something unique and different and worth blogging about. I’ll have to do that in later posts, though, because this one is about running my site on Linux. I just wanted to explain why I bought the Pi 400.

After getting the Pi 400, it was powerful enough to try different Linux distros, and I settled on 64-bit Ubuntu desktop as the most powerful. I’m using Ubuntu 20.04 LTS on my x86 PC, so the Pi version is very familiar. The only major weaknesses I noticed with the Pi 400 as a Linux desktop were that YouTube videos don’t play properly (there’s a browser extension that’s supposed to force YouTube to serve H.264 video, which is hardware-accelerated, but YouTube insists on serving me VC9 or AV1, which it can’t handle), and when I starting using VS Code to write code for my Amiga emulator project, there was a noticeable mouse and keyboard lag, especially with Chrome running, although uBlock Origin helped.

I decided to switch to my faster Intel Linux PC to use as my main Linux desktop, which meant that the Pi 400 was available, and used so little power that even in the event of a power outage, my UPS would keep serving content for at least an hour, and I’d be able to use the Pi 400 as a desktop to access the Internet. AT&T Fiber has so far continued working when my building has had outages.

I started with the “Install and configure WordPress” tutorial on the Ubuntu site, which recommends downloading the latest version of WordPress manually, instead of using the Ubuntu package, so that it can auto-update properly. After following all the steps, I had Apache and WordPress up and running. Now for the DNS and IPv6.

To save time, I’ll include the text version of the DNS records that I set up through the GoDaddy domain manager GUI. The Google site verification entry is to prove to Google that I own the domain so I can use the search console and analytics. The empty MX record allows me to receive email (more on that in a bit).

; Domain: jakehamby.com
; Exported (y-m-d hh:mm:ss): 2022-01-15 18:07:31

$ORIGIN jakehamby.com.

; SOA Record
@	3600	 IN 	SOA	ns17.domaincontrol.com.	dns.jomax.net. (
					2021122118
					28800
					7200
					604800
					3600
					) 

; A Record
@	86400	 IN 	A	104.182.63.69

; TXT Record
@	86400	 IN 	TXT	"google-site-verification=F_xhJiObC7B8t7Ur0Vmi8eyKJdOGotDuUtBCaPjAwVQ"

; AAAA Record
@	86400	 IN 	AAAA	2600:1700:46b0:abc0:dea6:32ff:feea:9f59

; CNAME Record
ftp	86400	 IN 	CNAME	@
www	86400	 IN 	CNAME	@

; NS Record
@	3600	 IN 	NS	ns17.domaincontrol.com.
@	3600	 IN 	NS	ns18.domaincontrol.com.

; MX Record
@	86400	 IN 	MX	0	@

I apologize for not setting the correct syntax highlighting for the code blocks. Either I don’t know how to change the language (I’m trying to type it into the purple box at the top), or I should use a different plugin for code blocks. Any suggestions welcome.

The IPv4 and IPv6 addresses point to the router for my Internet connection, which AT&T supplied with my subscription. It has quite a few advanced features, including a packet filter where I can make rules to drop source addresses if I see particular abuse coming from an IP address. I was also able to forward its log message to the Pi by setting its IP address in the Syslog tab of the Diagnostics tab, and then installing rsyslog to perform syslog instead of systemd. I had to uncomment the lines in /etc/rsyslog.conf to enable TCP and UDP syslog reception on port 514. Here’s a setup guide to rsyslog on Ubuntu 20.04 with more information.

The IPv4 and IPv6 addresses in the DNS records were copied from the external IP addresses of the router, and I figured out how to get port forwarding working on both to connect to the Pi 400. Now it’s time to set up SSL, with Let’s Encrypt. The setup instructions for Apache and Ubuntu 20.04 weren’t too difficult for me to follow.

Now it’s time to test that everything worked. I found some “test if your site works with IPv6” pages and fiddled with the DNS and port forwarding settings until I was satisfied that I could see my site from the outside world on both IPv4 and IPv6, with HTTP URLs automatically redirecting to the encrypted HTTPS versions.

By this point, I was very pleased with myself that everything was working and I could finally serve up some content. I spent a few hours looking at different themes and finally settled on the Twenty Twenty-One theme, which happens to be the default for the current version of WordPress. My only complaint with it is that I need to modify the paragraph width to be wider by default. If you have any style suggestions or tips on how to make them, please let me know in the comments below, or by email or Twitter.

Besides Google Search Console, I set up Bing Webmaster Tools, and made sure that both of them knew about WordPress’s automatically generated sitemap.xml page.

The last two details that I wanted to cover were WordPress plugins and Internet email with Postfix. Setting up incoming SMTP email was straightforward enough, using the Ubuntu tutorial for setting up Postfix. But for the life of me, I couldn’t figure out what my outbound email was failing. Eventually I discovered that AT&T, and apparently most other ISPs, blocks outbound port 25 for everyone. The spam email problem from botnets is just that bad.

Fortunately, I’m able to set smtp.gmail.com port 587 as the relayhost, giving me an /etc/postfix/main.cf that looks like:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = jakehamby.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = jakehamby.com, raspi-ubuntu, localhost.localdomain, localhost
relayhost = smtp.gmail.com:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 524288000
recipient_delimiter = +
inet_interfaces = all
default_transport = smtp
relay_transport = smtp
inet_protocols = all
myorigin = /etc/mailname

# Let's encrypt our email (SMTP with STARTTLS).
# https://www.ssls.com/knowledgebase/installing-and-configuring-an-ssl-certificate-on-postfix-dovecot-mail-server/
smtpd_tls_cert_file=/etc/letsencrypt/live/jakehamby.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/jakehamby.com/privkey.pem
smtpd_use_tls=yes

# Use my Google account credentials to send via SMTP relay.
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes

The file /etc/postfix/sasl/passwd contains an entry with the username and application-specific password (I’m using 2FA on my Gmail account, as everyone should, so I can create revocable passwords for each app that needs one), and it’s owned by root, mode 600 (along with the hashed passwd.db file).

With all that configured, both inbound and outbound email are working, and now I can receive spam directly into /var/mail/jhamby! I’m especially happy that I can use this email account with mutt and to email patches inline as ASCII to mailing lists that prefer that format. Gmail’s editor is almost useless for this because of the word wrapping.

Finally, here’s the list of WordPress plugins that I’m using:

My next posts will cover my thoughts on the different non-x86 computers (hardware and OS) that I’ve become interested in over the years, in alphabetical order, including:

Let me know in the comments what you’d like learn more about.

Leave a comment

Your email address will not be published.