Docker deployments for alternative frontends

Deploys privacy friendly services that don't have any persistent data.

Main Goals

• TLS 1.3 only
• Elliptic Curve Certificates (90 Day lifespan) with Let's Encrypt
• Only strong Cipher Suites (as they are in TLS 1.3)
• Strict Transport Security (HSTS) Header for two years
• Online Certificate Status Protocol (OCSP) stapling
• Strong Content Security Policy (CSP) Header
• Common HTTP Security Headers
• Don't send any Referrer
• No Cookies (If not necessary)
• Minimal or no Logs
• automated daily updates
• automated daily restarts to avoid data accumulation
• Provide Tor Onion services
• Provide a /.well-known/security.txt

additionally i have configured this on my deployments

• HSTS preload
• Domain Name System Security Extensions (DNSSEC)
• DNS Certification Authority Authorization (CAA)

privacy friendly frontends i've included are:

Bibliogram (REMOVED)

PROJECT DISCONTINUED https://cadence.moe/blog/2022-09-01-discontinuing-bibliogram

An alternative front-end for Instagram.

Sourcehut

Libreddit

An alternative private front-end to Reddit

Jitsi Meet

Jitsi Meet is an open-source (Apache) WebRTC JavaScript application that uses Jitsi Videobridge to provide high quality, secure and scalable video conferences.

Nitter

A free and open source alternative Twitter front-end focused on privacy.

Whoogle

A self-hosted, ad-free, privacy-respecting metasearch engine

Installation

I deploy to Ubuntu 20.04 LTS. But everything with Docker Engine (or maybe even Podman) will work.

1. clone project on your host

git clone https://github.com/pred2k/docker-deployments.git /docker-deployments

1. Create docker network:

docker network create traefik_default

1. (optional) Create cronjob for regular updates:
   run crontab -e and add this line:

0 11 * * *	systemd-cat -t docker-deploy /docker-deployments/update-images-and-restart.sh

Committing changes from deployment host back to repo

After checking out the repo on a host, local config changes need to be transfered back to the repo. To avoid getting my private ssh key on the host i prefer github's fine-grained personal access token.

to setup:

1. go to https://github.com/settings/personal-access-tokens/new
2. generate a new token only with permission to the specific repo and Repository permissions must have read/write for Contents.

to use next time (single use token):

1. go to https://github.com/settings/personal-access-tokens/375481 (works in github my account only)
2. press Regenerate token with Expiration: 7 days
3. to go host and run git push login with username and the generated token as password.

More see https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-fine-grained-personal-access-token