> Where to host the blog: Our Recommendation: Use Substack or try out a hosted Ghost website—it’s a Goldilocks solution of easy-to-use but highly customizable. Ghost makes for a great portfolio site, blog, and newsletter service.
[Effective Ideas: Where to host the blog](https://effectiveideas.org/how-to-start-a-blog/#pt3)
No. Vat do I vant, and in vat order? Uncensorability, ability to ramp up degrees of privacy and paranoia, control over ze whole stack, and finally, ze modern comforts. Vith that in mind, I present my guide to uncensorability.
- The Canadian government [grossly overreached against Canadian truckers' freedom of speech](https://twitter.com/punk6529/status/1494444624630403083).
- [Youtube-dl was banned by Github](https://www.eff.org/deeplinks/2020/11/github-reinstates-youtube-dl-after-riaas-abuse-dmca).
- [EFF Sues Proctorio on Behalf of Student It Falsely Accused of Copyright Infringement to Get Critical Tweets Taken Down](https://www.eff.org/press/releases/eff-sues-proctorio-behalf-student-it-falsely-accused-copyright-infringement-get).
Personally, I've found it useful to wrap `pass insert -m` into an extension for pass (pass [append]()). I also found it useful to have a utility for [searching passwords](). And, as always, [backup](https://github.com/8go/pass-backup) stuff.
### Get an email
[Protonmail](https://protonmail.com/) is fine.
Mad Eye Moody recommends: Don't give Protonmail a backup email. Instead, make sure to make backups of your passwords. You can access Protonmail over [Tor](https://torproject.org/) [here](https://mail.protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion). For added paranoia, you can register an [XMPP identity](https://www.shad0w.io/) instead of an email address. Also, do your own research on which service providers are the most secure.
For zis, ve will use, of course, [njal.la](https://njal.la/). The're the non-evil twin brother of [Epik domains](https://www.epik.com/). From their [FAQ](https://njal.la/faq/):
> We're a team of committed internet activists and we're also involved in other privacy projects such as the IPredator VPN service. Some of us have also been involved in projects like The Pirate Bay and Piratbyrån to mention a few things.
> We support signing up for our service using email or XMPP (and yes, we use OTR). For email we also support PGP so all of our outgoing email will be signed and encrypted.
> We accept payments via Bitcoin, Litecoin, Monero, ZCash, DASH, Bitcoin Cash, Ethereum and Paypal.
Mad Eye Moody recommends: Use [tornado cash](https://tornado.cash/) to anonymize your transaction history before paying njalla. Check which top-level domain names are [more uncensorable](https://www.eff.org/files/2017/08/02/domain_registry_whitepaper.pdf) (from casual reading, I would go with .br, .cr , .is, .org, .ru, of which njalla supports only .org and .ru). If if we wanted further anonymity and uncensorability, [set up an onion service](https://community.torproject.org/onion-services/setup/).
Previously, I had been using an Ubuntu server on [Digital Ocean](digitalocean.com), which offers servers from $5/month ($6/month including backups). But I have grown to dislike my system having 1GB worth of stuff that I don't understand. I also dislike wrangling with systemd services.
So I thought it would be fun to try Alpine Linux on [Njal.la's own servers](https://njal.la/servers/add/). This costs $15/month instead.
When buying a server from Njalla, we need to name it. And we will name it [`ramiel`](https://en.wikipedia.org/wiki/Ramiel) [^1]. We will also need to generate an ssh key to connect to it. The command to do this is `ssh-keygen -t ed25519`. After paying for our server, we'll want to set up payment to autorenew.
Add a DNS record pointing from your domain to your server. In particular, you want an A record. Note that it might take a while for it to propagate, so at this point, you can either:
Strictly speaking you could do everything as root, but this feels dirty. Instead, we will create two new users, one root user for admin tasks, called `ramiel`, and one user for normal operation of web assets, named `www`. The below process probably contains some bugs, which stackoverflow or the alpine and arch linux wikis should solve.
Then use [visudo](https://unix.stackexchange.com/questions/27594/why-do-we-need-to-use-visudo-instead-of-directly-modifying-the-sudoers-file) to add `ramiel ALL=(ALL) ALL` to `/etc/sudoers`.
Here we make our first—of many—compromises with the [suckless](https://suckless.org/) philosophy. Unlike simpler web servers, nginx—pronounced "engine x"—is not suckless. However, I do have a job, and I'm choosing nginx because it is well documented, widely used, and has good integration with certbot, the certificates bot from the Electronic Freedom Foundation which allows me to have https (also perhaps not suckless).
To install nginx, follow instructions from [here](https://wiki.alpinelinux.org/wiki/Nginx). Digital Ocean has a few good tutorials on how to get nginx up and running, e.g., [How To Install Nginx on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-20-04). Steps are very similar on Alpine. Though Alpine doesn't have the `ufw` firewall, the package manager is called `apk`, not `apt`, and so on.
In this case, I chose to create a folder in the `/home/www` directory, rather than directly in `/www`. This is probably some residual scaredness from when I didn't want to play around too much with directories outside the home directory.
In any case, the commands I used to set up nginx were:
At this point, we can get a minimal website working. Create an `index.html` file somewhere, and use a nginx setup such as [this](https://github.com/NunoSempere/werc-1.5.0-tweaks/blob/master/etc/contrib/nginx/sites-available/nunosempere.com-simple) to check everything is working out ok. This is an important step, because it lets you check your work so far.
After some debugging, you should have a very simple yet fairly hard to censor website. Congratulations!
### Set up TLS
At this point, one might as well add TLS working, by following instructions such as those in [How To Secure Nginx with Let's Encrypt on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-20-04).
Before you install SSL, you will need a DNS record, and in particular, an A record, pointing from your domain to your server. It might take a while for the DNS record to be updated; around 24 to 48 hours.
The commands for installing certificates are pretty trivial:
```
apk add --update python3 py3-pip
apk add certbot
pip install certbot-nginx
rc-service nginx stop
sudo certbot --nginx -d your-site.org
```
## 4. Into the rabbit hole
Our setup will looks as follows:
![](https://i.imgur.com/69cnAw2.png)
And the steps we will use to get this working are:
- Install plan9port
- Install werc
- Configure werc
- Install discount markdown
- Configure nginx to work with werc
- Install fcgi
Why am I using werc in Alpine linux rather than, I don't know, [Pelican](https://blog.getpelican.com/) on Debian, or [Jekyll](https://jekyllrb.com/) on Github Pages or [Gatsby](https://www.gatsbyjs.com/) on netlify? Because I am a sadomasochist, that's why. Proba
### Install plan9port
Plan9port is werc's key dependency. I might be able to get werc working with musl. But I can't be arsed. Instead, I am installing plan9port side by side with musl.
[Werc](https://werc.cat-v.org/) is a work of genius by the mad architect Uriel. It describes itself as a "a minimalist web anti-framework built following the Unix and Plan 9 tool philosophy of software design". It is a more hardcore version of Jekyll, Pelican, Blogger, or Wordpress.
git commit -m "feat: start keeping track of atomic changes on top of werc-1.5.0"
git remote add
```
It's good discipline to keep track of changes which are more or less atomic. This facilitates you remembering what changes you've done, and allows you to contribute back.
These tweaks are a bit opinionated (e.g., they assume that you have set-up https). But they also make daily work more pleasant. Proceed at your own caution.
Mad Eye Moody recommends: Go through the [commit history](https://github.com/NunoSempere/werc-1.5.0-tweaks/commits/master) and pick and choose instead.
To use https instead of http, grep for http and change it all to https. Find the necessary files using `grep http -R bin/`, or have a look at [this git commit](https://github.com/NunoSempere/werc-1.5.0-tweaks/commit/18893f3192721144e82497dce751864faa4437e4)
And then have a look at [this commit](https://github.com/NunoSempere/werc-1.5.0-tweaks/commit/f492aa962b4c0627dd013f074c0d01000f6e70fe) for the necessary changes.
Configuring nginx to work with werc is the tricky part. Luckily, [here](https://github.com/NunoSempere/werc-1.5.0-tweaks/tree/master/etc/contrib/nginx) is an example working configuration, i.e., the contents of my `/etc/nginx`. Best of luck!
One of the key pieces to connect nginx and werc is [fcgi](https://wikiless.org/wiki/FastCGI?lang=en) (fast common gateway interface). It can be installed with
Installing fcgi, copying [my configuration](https://github.com/NunoSempere/werc-1.5.0-tweaks/tree/master/etc/contrib/nginx) and making the relevant changes probably still requires some tweaking and debugging. For instance, it's necessary that the nginx folder is owned by the `www` user. If someone wants to document this better, I welcome improvements.
## Backups
Backups, and then backups for the backups. For this, I would recommend some combination of:
- [tarsnap](https://www.tarsnap.com/)
- an online git service, like GitHub, GitLab or Codeberg
We have seen how to create a website which is decently anonymous and hard to attack. This isn't secure enough to support a drug empire (unless?), but it should be secure enough to post slightly edgy content online. We did this the hard way in order to not rely on services like WordPress or Netlify, which would probably buckle under external pressure.