namnatulco

Getting started with a personal coop-cloud instance

What's that, you ask? Basically, it's the cloud, except it isn't someone else's computer, but rather your own (or shared among some group of people).

My mental image is that it's a way for everyone to have cloud services without being dependent on “big tech”. Of course, “big tech” is not just horrible greedy capitalists destroying the planet with renewed vigor. Building cloud services involves work and specialization. The idea behind the coop-cloud is making it easy to share this work with others and minimizing the amount of work that needs to be done by everyone that sets it up. And so far: I'm pretty impressed at what has been achieved here already; even with my minimal practical experience, I managed to follow along (and even make my first, real open source contributions!).

That being said, it's not an off-the-shelf kind of thing at the moment; it's still pretty geared towards tech people. In fact, if you're not a cloud native developer or have some other previous practical experience with cloud services (and/or have operations experience – I know next to nothing about that, so you be the judge), you may struggle to follow what happens if you try on your own. This blog tries to take a newbie-friendly perspective and help you along. I will try to write in a way that is easy to follow even if you don't do much computer stuff – but admittedly, I will probably fail. Please point this out!

I’m currently working on a write-up of my experience with coop-cloud, which will hopefully also help people new to this space to gain a bit of confidence and join in (by the way, the blog you’re reading right now is running on my coop-cloud instance!)

Prerequisites for a building a coop-cloud

Getting a Coop-Cloud running is a bit more challenging than buying a bit of soft- and hardware and plugging it in. After all, you’re doing your own hosting! If you’re completely new to that, it might be nice to have someone nearby to help. But I’ll try to write this in such a way that you can follow along even if you’re not doing it yourself.

The beginning: a computer

To have cloud services on your computer, you need a computer. You can either rent one in a datacenter (a virtual private server, a dedicated system, an old computer you can move to a co-location space, ...), or you can use a computer at home.

In my case, I stumbled on the coop-cloud around the same time I decided to buy a small computer as a home server and to play around with (to sharpen my linux skills, to experiment with software, etc). Home servers and home (network) labs come in various sizes and can be endlessly complicated (if you think “how complicated could that be?” just go over to /r/homelab and look at what is considered a simple setup there). If you're new to this: look for something with low power consumption (and ideally silent). If you, like me, don't have reasonably efficient old hardware: these days, there are small form factor and virtually silent machines out there for as little as 150€ (plus taxes). Good search terms NUC (next unit of computing, an Intel-thing) and SFF (small form factor). I went with a GMKtec device based on a recommendation from a friend.

Network

You should be aware that for this setup to work well, you'll need to expose your computer to the internet, so that others can talk to it. This is not an issue in a datacenter, but in a home network, you should be aware that your exposed computer can talk to any device on your network. This means you'll need to keep an eye on it and update it regularly (or shut it off). If you want to operate something long term for other people to use, consider investing in a firewall (a network device that separates your new computer from the rest of your network).

Internet Service Provider

For home network use, you may need to contact your internet service provider: some use a technique called DS-Lite/dual-stack Lite by default to save on IPv4 addresses. Simply put, this means your home router doesn't actually get a normal IPv4 address (which means you can't host locally). In my case, a brief call to the ISP and a router reset was enough to get DS-Lite disabled. If you have DS-Lite, you may still be able to get a working IPv6-only setup – it looked to me as though this were not straight-forward, but I haven't looked into it.

Domain

If you don't have a domain name, you'll need one. There are tons of services that offer domains – there are some things to look out for:

1. Being able to set either a wildcard A-Record or CNAME-Record. An A-record is a DNS entry that contains the (sub) domain name and the associated IP address, while a CNAME-Record is like a reference to another A-Record.

2. if you're setting up on a home network: support for dyndns/dynamic DNS. The reason for this is that many internet service providers regularly change IP addresses. DynDNS is a feature where your home router tells your domain name provider the new IP regularly.

Putting it all together

Connect your computer to the network, ideally by cable and not by wifi if it is your home network. You may want to tell your router to always assign it the same IP (for convenience).

If you're using a home network, you'll need to set up your domain and dyndns. Otherwise, follow your providers' instructions on how to assign your domain to the IP address of your system. Domain and dynDNS setup also depend on your router and provider, but basically the idea is 1) configure DNS, 2) prepare dynDNS, 3) set up the dynDNS automatic update. For the latter, your provider will have an update URL of some form, which you will need to tell your router. Your router will use the URL to tell your provider the new IP. Here's a tutorial from provider OVH here is a dynDNS setup guide for the FRITZ Box router.

Next: if you're using a home network, expose your computer to the internet, ideally via port forwarding (though some routers have a feature that exclude the entire system from their rudimentary firewall). You'll most likely want tcp ports 80 and 443 (for HTTP/web server traffic with and without encryption/tls respectively – we'll get to this, but unencrypted is not critical and recommended to get certificates via letsencrypt). If you want to manage your personal cloud remotely, you'll also need tcp port 22 (for SSH). You can also configure all this network stuff later, but you’ll need it once you set up abra.

Next up: install linux on your new machine.

Coop-cloud: Install Linux

Installing linux can be as hard as you want it to be. I won't spend too much time on this. You'll need ssh, git and docker, these are available practically everywhere.

If you just want a working system, go with something like debian.

If you want to fiddle around and get sidetracked a lot, go with something like arch linux (this is what I did, though if I would do it again, I’d probably go with debian).

A few things to consider if this is more than a toy project for you:

- if you're doing hosting for other people, consider that control of your computer means control over all the data.

- if you're going to host a lot of data, you'll want some extra way to store a large amount of data (possibly on a separate system).

- especially if you're hosting something political, remember that authorities may confiscate your system. This (eventually) means access to the data and (perhaps) more importantly, it means that your system will be gone for a long time.

- the setup we'll be using is based on docker. It assumes that you will have a user in the docker group. This means that if someone else manages to log in as this user, they will be able to gain full control over your system. If all you have is your coop-cloud, that doesn't matter much – it just means that you should avoid using this computer for things besides your coop-cloud. Check out the coop-cloud FAQ for more on this.

Coop-Cloud: Overview of Technologies and Concepts

This will try to give a brief and beginner-friendly overview of all the things that go into running a coop-cloud. It may be a bit daunting at first: don't worry, you won't need to know the ins and outs of everything to be successful. Do be aware that there is a lot more complexity “below the hood”. And hey – the coop-cloud people are super nice and always welcome help – ask them questions!

You can also skip this and jump straight into the abra operator tutorial, which walks you through setting up your first app (a personal nextcloud!).

Terminology: Developers, Maintainers and Operators

In big (and small) tech firms, a lot of these things are often done by that firm. For example, the company Meta both develops, maintains and operates the Instagram service. You'll probably have a rough idea of what these words mean, but here's a brief summary:

- Developers are people that create software. They make sure it does what it should do in the scenarios for which it is designed, fix bugs that come up, deal with security issues, come up with new features and make a lot of choices around how the software is build/should be used. Depending on the type of software, it may be used directly or distributed by maintainers for various operating systems. For example, the developers of Mastodon build the software that can be used to run a social media server.

- Maintainers are people that take existing software and make packages or (in the case of coop-cloud) recipes out of them. Their job is to maintain a working version of the software, integrate it with other software, or make it useable in a specific environment. For example, a maintainer could package a Mastodon server in such a way that it can be used on a debian linux system, which can then be used by operators to run a Mastodon service.

- Operators are people that run services. For example, they might use a combination of different products, hardware components and software to enable users to do things. For example, operators might run a social media service with the Mastodon server software. Users only need to interact with the operator's servers, they don't need to know about all the maintainers and developers.

Containers and Docker

If you've ever tried to get software that someone else wrote running on your machine manually, you'll know that there are hurdles, because every linux system works slightly differently, uses different conventions or has different versions of the same libraries. This is one of the problems that containers are used to solve. The idea is: put everything you need to run a specific piece of software into a self-contained box. If you can run boxes of this kind, you can now run any software delivered in such a box. In short, docker is the software used to run boxes. Dockerfiles are like blueprints for such boxes, which can be made into a copyable image. If you take a copy of such an image an run it, you have a container running the software. *Note: this is all a bit of an oversimplification – for example, containers share a kernel with the host system and are thus not completely self-contained.*

Containers are a de-facto standard to make software widely available; a main advantage of containers is that the software developer(s) have a lot of control over variables that are normally specific to each linux distribution, which reduces the work required to make sure that the software runs correctly (because there are fewer variables involved). They do this by writing a Dockerfile (and sometimes a compose file, but we'll get to that) and often by putting a ready-to-go image on a service like dockerhub. This is good for you, because you don't need to deal with the complexities of maintenance, and if you want to run multiple services, you won't need to worry about conflicts due to different dependencies – you can just pull the image and run it.

Compose and Docker Swarm

At least, that's how it works for simple, self-contained software. However, a core principle of software development over the last five decades has been re-use of software. Software often builds on other software – this means that we don't have to keep re-inventing the wheel. For example, a developer may just want to use a relational database. This is typically where maintainers or operators come in again: take software and configure it to use the correct database, with the correct mail server, do the backups with the right system, etc. This kind of defeats the purpose: the whole idea of containers was that they are self-contained (*again note: this is a huge simplification and not the only reason we have containers*). This is where compose files come in – they're a way to describe how a set of different containers works together to offer a service. For example, they might have a web server, a mail server and a database each in separate containers and define the interactions. Again: very useful for portability – and often geared towards making collaborative development easier.

However, for real services, it is often necessary to do additional configuration – adding domain names, setting passwords, choosing which features are enabled, etc. Docker Swarm allows people to use compose files to design configurations and services. Configurations, Services and Secrets are used in combination to build a complete service. Docker compose can also do a lot of this, but docker swarm offers additional features, such as health checks and autoscaling (though it is not quite as advanced as kubernetes, which allows you to organize complete clusters of systems – that's beyond the scope of this text, though). Conveniently for us, docker swarm also makes it easier to manage configurations. However, it can be quite difficult to use and it requires quite a bit of Docker experience to use docker swarm from scratch.

Abra: Recipes, Operators and Maintainers

The nice folks at coop-cloud have thought of a solution for this problem: abra. Abra is a fairly small piece of software that gives you a friendly command line interface to manage your services without remembering lots of docker commands. It does this by introducing recipes: standardized and re-usable configurations. Whenever you run something on your cloud, you'll basically use the following pattern:

find a recipe
create an app
configure the app
deploy the app
do stuff in the app

If there is a recipe, it can really be this easy (and if you have a bit of computer experience, you’ll probably find the tutorial quite easy to follow). This blog, for example, was set up through these steps.

First steps with your coop-cloud

So, if you’ve followed along, you’re well on your way to operating your own coop-cloud! We’re now going to dive into a bit of software and command line usage. This will be a more verbose discussion of what the new operator tutorial says, so if ssh and command line Linux use is familiar to you, you may just want to go there. The rest of this text hopefully gives you the basics and ways to read more when needed. Again, if you’re setting this up for multiple people, be aware that you may need additional Linux skills down the line to fix issues that may arise during upgrades – make sure you have these if you’re putting life-essential things in your coop-cloud (such as using it as your password manager instead of a cloud service like LastPass).

The coop-cloud uses a tool called abra as a core tool for operators. The idea is that you can do most you need to do with apps (starting, configuring, deploying, upgrading, …) through there. The apps are then the things running on your cloud – such as nextcloud or this blog. Remember, clouds are just computers – in this case, it is the server you’ve set up. You can use abra on the server that runs your apps, but it is designed for use on the system you use every day (we’ll call this workstation). That means you’ll have your configuration on your workstation (and possibly on other peoples’ workstation, if you jointly manage the server).

In short: ssh-keygen ssh-copy-id -i /path/to/key <server-user>@<server-domain>

Then add the following to your ~/.ssh/config: Host <server-domain> User <server-user> IdentityFile /home/<username>/.ssh/my-coopcloud PasswordAuthentication no

Use this to only type your passphrase once: eval `ssh-agent` ssh-add

To do this remote management, it uses ssh – most operating systems (though not Windows) come with it. The operator tutorial kinda skips over this, but you’ll want to set up an ssh key and use ssh-agent. Before the step-by-step guide, here’s a brief summary of why and how. Such a login is slightly more secure, but more importantly, it saves you from needing to type your password every time. It works by using a public key (which you’ll copy to the server) and a corresponding private key (which is the secret bit, like your password). When you log in, cryptography is used in such a way that the private key never leaves your computer (unlike with a password). This also means anyone with the private key can log in – this is why it is protected by a passphrase (which is just another name for a password). ssh-agent then allows you to type your password once and use your key until you close your terminal.

You’ll (at least) need your server’s domain name, a user on your server and ssh running on your server. An explanation can be found here. If running on a home network, make sure port forwarding for ssh is set up (see linked tutorials in the networking section in an earlier post).

Side-Note: The coop-cloud operator tutorial assumes you also manage your server remotely. If you don’t want to expose your server to logins from the internet, you can usually just set a name in the /etc/hostname file on your server while you set it up, by putting something like my-coop-cloud in that file – on most local networks, that “just works”, and you can log in to your server from your workstation by using this as the domain name, but be aware that some abra commands will complain later on; use the -D or —no-domain-checks option to circumvent that.

First, we create a key, by running:

ssh-keygen

This will create a key with the default settings. It will ask you where to store it (I recommend using a name like /home/<username>/.ssh/my-coopcloud) and then a passphrase. You can leave that field empty and not have one, but: use a passphrase. Your private key will then be the /home/<username>/.ssh/my-coopcloud and the public key will be the file /home/<username>/.ssh/my-coopcloud.pub. Now copy your key to the server (replace <server-user> with the user on your server and <server-domain> with your server’s domain). You’ll still need your password here.

ssh-copy-id -i /home/<username>/.ssh/my-coopcloud.pub <server-user>@<server-domain>

Side-note: many tutorials will have you manually copy the file over and add it in ~/.ssh/authorized_keys; ssh-copy-id does the same, just all in one command.

On your workstation, you can now add set following configuration:

Host <server-domain> User <server-user> IdentityFile /home/<username>/.ssh/my-coopcloud PasswordAuthentication no

If you put this in the file /home/<username>/.ssh/config, future logins will work as:

ssh <server-domain>

However, you still need to enter the passphrase of your key. To save you the trouble, use these commands to load your key:

eval `ssh-agent` ssh-add

After you enter your passphase, your key will now be used automatically.

Explanation: the command ssh-agent generates a few lines of code; the `` tell your command prompt to give this code to the eval command, which then executes that code. Understanding the exact functionality requires background on linux sockets and process management, but if you’re interested, check out the manual. There are also ways to make sure the ssh-agent runs as soon as you log in to your workstation (this answer either by adding some code to the startup of your command line in ~/.bashrc or via systemd). Then you’ll just need ssh-add and it will work in all your command lines.

Especially if you’re managing your server via the internet, I recommend disabling password authentication. Before you do this, consider making a backup of your key (or have some other way of connecting to the server without ssh, for example, by connecting a keyboard and a monitor). If you read the configuration above, you might have noticed the line that says PasswordAuthentication no – this tells your workstation to not use password authentication when talking to your server. To tell your server never to accept passwords, you’ll need to update the configuration on the server. The configuration file on the server is normally /etc/ssh/sshd_config and in it you can disable password authentication by finding these lines and removing the # at the start of the second line:

# Change to no to disable tunnelled clear text passwords #PasswordAuthentication no

You’ll need to restart your sshd, which can be specific to the Linux distribution you installed. Typically:

systemctl restart sshd

Side-note: the “d” in sshd refers to “daemon” and means background service – it is the software that accepts the connection when you type ssh <server-domain> on your workstation. This is a common pattern throughout the Linux-world. There are many more configurations you can make that further help security, but for this you’re better off looking at a dedicated tutorial for sshd. But don’t worry – most Linux distributions provide a reasonably secure default configuration.

Set up docker

The tutorial gives you a pretty concise way to set up everything you need. However, as it points out, curl https://get.docker.com | bash is not the recommended way for long-term use. The official docker installation guide has an overview for various operating systems. I recommend relying on the package manager and install docker as part of your Linux installation process (I’ll probably one day update that blog to explain a simple installation). The guide also tells you to set up docker swarm and create two networks for it – these will be used to make sure all your apps are talked to over a single special app called a proxy. The proxy is software that enables you to run multiple apps on the same port. Finally, it recommends that you add your server user to the group docker, which allows this user to use docker commands. Remember that this means anyone that can log in as this user can manage all your apps and (with a bit of hacker wizardry) access all your data. This is why the passphrase for your ssh key is important.

Installing abra

There are a couple of ways to install abra – the script method in the guide is “good enough”, an overview is here. Setting up autocomplete might sound like a hassle, but it’s not that complicated and makes our life way easier. After that, getting abra to talk to your server is as easy as:

abra server add <server-domain>

If you’re not connecting to your server via the internet and your server domain is something like my-coopcloud, make sure to use that name here. The guide recommends against this, but at least in my experience, it still works.

Before we move on to the web proxy setup, I recommend setting up versioning for all your apps. This works as follows (on your workstation):

cd ~/.abra/server/<server-domain> git init touch README.md git add . git commit -m “empty configuration”

If you’ve never used git before, it will tell you to provide an e-mail address and name – you can use anything you want (you’ll need to repeat the last line afterwards). You can share this repository with anyone else managing the server, or make a backup. There’s a lot to learn about git, but if you don’t want to care about that, just remember to do the following whenever you change the configuration of the server:

cd ~/.abra/server/<server-domain> git add . git commit -m “<a summary of your change>”

The reason this is useful is that if something goes wrong, while you’re making the change, you can go to this folder and reset to the last time you made a change (this will discard all changes!):

cd ~/.abra/server/<server-domain> git restore .

Note that this only applies to the files located in .abra/server/<server-domain>; it can’t be used to repair errors on the server itself.

Your first app: traefik and nextcloud

Now we’re ready to run your first app on your personal coop-cloud! As mentioned, we’ll use a proxy so that you can deploy multiple apps without lots of hassle. The proxy is called traefik and the setup is as easy as this, where is a sub-domain of your coop-cloud (for example, traefik.my-coopcloud):

abra app new traefik abra app config <traefik-domain> abra app deploy <traefik-domain>

As the guide notes, the config step will open an editor that allows you to configure your proxy. Setting up nextcloud works almost the same way:

abra app new nextcloud --secrets abra app config <nextcloud-domain> abra app deploy <nextcloud-domain>

The first line is different, because the nextcloud app has secrets that should not be stored in a configuration file. Make a habit of storing these in a secure way. In many cases you can read them from your container via abra app run <nextcloud-domain> app -- cat /run/secrets/admin_password, but try not to make a habit of it, because it is not guaranteed to work everywhere. For an in-depth overview of secrets, check out the docker manual; if you store your secrets carefully, you probably won’t need this page, though.

By the way: traefik and nextcloud are recipes, they’re used via abra app new <recipe> and you’ll find information about their requirements at the recipes page. Now you can go crazy and set up all the apps you want. However, you’ll also want to actually use the app!

Administrating your new nextcloud service

If you’re not familiar – nextcloud is a package that lets you synchronize files, but there are also many other plugins (such as calendars and a simple task manager), which can be installed from github. Both the installation of plugins and the creation of accounts happens via nextcloud’s admin interface – this is a common pattern in the coop cloud — deploy an app and then configure it. For nextcloud, just open a browser and go to <nextcloud-domain> with your admin password from above. The standard admin username is admin, if you did not change it during abra app config (the variable name is ADMIN_USER; if you’re not sure, whether you changed it, just run abra app config <nextcloud-domain> again).