I'm currently hosting this site on a Raspberry Pi 4 with 4 GB ram. The host OS is the default headless image 'Rasbberry Pi OS Lite (64-bit)' that comes with the stock Raspberry Pi Imager.
For additional security, I've disabled password authentication and only allow SSH key based authentication. I've also disabled password based root login and only allow sudo access to the pi user.
To ensure the build of the server is repeatable, in case of catastrophic failure, I am using an Ansible playbook to configure the host from is initial state. For reference, the playbook is available on GitHub.
This script goes through teh following steps:
Using Ansible, its a simple case of running the following command to configure the host:
# Ensure that the ansible dependencies are installed
ansible-galaxy install -r requirements.yml
# Install the playbook
ansible-playbook -i inventory -e @secrets.enc --ask-vault-pass frontend.yaml
Using ansible-vault to encrypt the secrets.enc file that contains the private credentials allows me to upload the playbook to GitHub without exposing the credentials in plaintext form..
At a very high level, this is all that is required to get the site up and running.
matt@rpi4-2:~ $ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bf71ab58890f containrrr/watchtower "/watchtower" 2 days ago Up 2 days (healthy) 8080/tcp watchtower
03e0936b613f ghcr.io/m5p3nc3r/website:main "docker-entrypoint.s…" 2 days ago Up 2 days 0.0.0.0:3000->3000/tcp website
6f81bfff4a29 nginx:mainline-alpine-slim "/docker-entrypoint.…" 6 days ago Up 6 days 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp reverse_proxy