Overview

We are using Coolify as our self-hosted platform to manage and deploy web applications. You can think of it like an open-source version of Heroku - it gives us a simple web dashboard to spin up and manage Docker-based apps on our VPS.

Our VPS is hosted via FlokiNet in Iceland.

Server details:

OS: Ubuntu 22.04 LTS
CPU: 10 Cores
RAM: 12GB

Location:
We chose Iceland because they are not a part of surveillance alliances with the US. There’s no guarantees of course but being outside of the US makes it less likely for them to just be streaming data to our agencies. It also makes things significantly more difficult for local agencies.

Coolify Docs: Introduction to Coolify | Coolify Docs
Coolify Login: https://coolify.workingclassunity.com

Main Tasks

Implement backup strategy

We need daily (or weekly) backups of everything to prevent data loss.

What needs backing up:

Coolify configuration and settings:
Coolify’s own database that contains all configurations, user accounts, and internal settings alongside any custom configuration files or environment variables used by Coolify.

All databases for each service:
Application databases used by the various services should be backup up individually.

User-uploaded files and documents:
Docker volumes: Any user data, uploads, or persistent files are typically stored in Docker volumes or bind mounts. These must be backed up separately from the databases and configuration files.

Application configurations:
Custom docker compose files or scripts.

Tasks

Research Coolify’s built in backup features:

• Backup and Restore Coolify | Coolify Docs
• Migrate Applications | Coolify Docs

Research other backup solutions:

• Perhaps this: GitHub - offen/docker-volume-backup: Backup Docker volumes locally or to any S3, WebDAV, Azure Blob Storage, Dropbox or SSH compatible storage
• Coolify’s configuration files do not need to be encrypted when backed up. However, the other databases and user-uploaded files should be encrypted when backed up. If they are encrypted, we can use any service (AWS S3, backblaze)

Document possible solutions, how you plan to test the backup/backup restoration process, and finally test on a demo server.

Set up access control system

We need to control who can access what services

The current challenge:

• Some services (like the Discourse Forum) should be open to everyone to access and already have a built in way for us to give certain users more privileges than others
• Others should only be accessible to approved WCU members
• Others still should have their backend/registration only accessible to WCU members, but the public should be able to access the front end (for example, rallly (meeting scheduler) should allow the public to input when they are available however only WCU members should be able to create polls)

Recommended solution: Authentik

• Coolify already supports Authentik
• It has has good documentation for integrations: Integrations overview | authentik
• It could act as a central login system for our services
• Would provide a Single Sign-On (SSO) for compatible services
• Could use reverse proxy authentication for apps without a login

Tasks

• Research alternatives to see if any others are compelling
• If not, let’s stick with Authentik. We don’t need documentation on the others if they don’t appear better after a quick review.
• Install Authentik via Coolify

For the apps that are already installed/plan to be installed, do the following:

• Set up SSO between Authentik and apps that support OAuth2/OIDC
  • Don’t do this for the Wordpress installation (it is the main app that’s currently in use)
• Disable public signups for each app
• Configure Authentik as a reverse proxy for apps that don’t have login systems
• Document how new users are added/invited
  • We are currently collecting dues via stripe. The intent is to give members a month grace period after a failed payment before making their “subscription” “past_due” and trigger actions like removing forum/backend access. If changing user roles / removing them from WCU Membership level access could be automated by connecting stripe to Authentik via n8n, please document how.

Install additional services

We need to add several new services to our Coolify instance, or they are already installed and need to be configured. Some can be installed directly through Coolify’s built-in catalog, while others will need custom Docker configurations.

Custom docker installs, in order of importance

• Discourse Forum
• Jitsi Meet
• HedgeDoc

Via Coolify Catalog

• authentik
• n8n
• pocketbase
• rallly
• vaultwarden
• wordpress
• GetOutline
• paperless
• documenso
• formbricks
• calibre web (but also need calibre backend)

Need to research for a solution

• Something like https://www.chatwoot.com/ that will centralize our inbox for social media messages + a chat interface on the website
• If we do switch to Outline for documentation, then we could use FileBrowser for hosting files. But storage space remains an issue for hosting like this - but perhaps we can separate out video/graphics from everything else and keep those hosted on Google Drive since they are public anyway.
• Something to monitor different services (like GitHub - louislam/uptime-kuma: A fancy self-hosted monitoring tool) in case a service does go down.