I've always been curious about selfhosting, but also kind of scared to do so. The security implications of exposing services to the world is a bit scary. Letting WAN traffic into the LAN feels a bit like leaving the door unlocked. Our ISP also gives us a dynamic IP, making DNS resolution a bit more complicated than it needs to be. But then I found out about tunnels. I had a free day to spare, and decided to finally pull the plug on this project.
First off I bought a domain name from Cloudflare. They, nicely enough, do not charge any markup as a registrar. So I bought fikamedhasse.com for about $10. Then I flashed Debian to my SD card, booted up the Pi 4B and installed nginx. I threw up a http server serving static content on the LAN for development and testing, just mirroring the static HTML files at ctrl-c.club. Once I was satisfied I installed cloudflared on the Pi and set up a tunnel, resolving fikamedhasse.com to the Argo tunnel according to this article. And badabing badaboom the site was public. I then installed UFW and disallowed every incoming connection except SSH from the LAN only, and disabled password login over SSH. Finally I reconfigured nginx to serve HTTPS using the origin certificate Cloudflare had been nice enough to generate, and moved the tunnel from port 80 to 443. Enabled redirect HTTP to HTTPS in the Cloudflare dashboard, and set up some cronjobs on the Pi to rsync ~/public_html from ctrl-c.club to the Pi. The synced content is not moved to the webroot, as the cronjob does not run as root. I also don't want to automatically compromise my Pi if my ctrl-c account gets compromised. Feel free to check it out and tell me what you think at fikamedhasse.com!