TL;DR Follow the instructions on https://github.com/faevourite/mastodon-oracle-cloud-free-tier.
When you join Mastodon you lend trust to whoever runs your server, including trust that they moderate the content, keep the service well-maintained, and back up its data. This is easy if you know the people running it! If no one in your friends/family group is running a server already, and you don’t mind the administrative responsibility that services like Masto.host save you, you can host your own without breaking the bank by leveraging Oracle Cloud’s generous free tier.
I did this recently to set up my personal instance! In addition to the reasons above, I wanted to own my data, have a @glyphy.com handle, and be able to make small tweaks to Mastodon itself (like adding custom server emoji). The last two reasons are admittedly all in service of my vanity. Mastodon can verify my identity via links in my profile, and I have writer’s block when it comes to the custom emoji (typist’s block?). But personalization is the soul of IndieWeb and I’m here for it.
While I could just create a free account on Oracle Cloud, spin up a 4-core 24GB ARM-based compute instance (free tier limit) using the console admin UI, and follow the official Mastodon installation instructions, I wanted something more maintainable and automated. If (when?) I mess up my instance beyond repair I’d like to be able to recover quickly.
Here’s what I ended up using to accomplish this:
- Docker for running everything
- Core components: Mastodon apps, Postgres DB, and Redis cache
- Caddy, to serve everything over TLS, with a certificate provisioned using its Cloudflare integration
- Backups via Kopia
- Healthchecks.io and Newrelic for monitoring (free tiers)
- Ansible to install and configure all of the above
- Terraform to provision the underlying cloud infrastructure
- Cloudflare (free tier again) to manage DNS and provide some bot protection
- Sendgrid (you guessed it, free tier) for Mastodon emails, such as password recovery
- Pushover for cron job failure notifications
- This is the only thing that’s paid here (optional, though). $5 lifetime per device. It’s more than paid for itself over the years.
I put all the scripts and manifests together into this GitHub repository, along with instructions on how to get it all running.
Below are just some notes about the different choices, mostly so I myself remember them when they invariably turn out to be wrong.
I don’t want to deal with random OS portability issues or package conflicts. Docker also has a nice side effect of requiring me to think about where things will be stored. An inventory mandate.
One thing I’m worried about is the difficulty of future updates that require some manual steps in a specific order. Docker-compose’s “bring everything up together” behaviour spells danger here. I don’t mind a little bit of downtime on this personal instance, but it may be a bigger deal otherwise.
Serves as few purposes:
- Multiplexes the “web” and “streaming” containers over the same domain
- Enables compression
- Sets aggressive caching headers
- With its Cloudflare DNS module it can provision a TLS cert, which means that Cloudflare->Mastodon traffic is also over HTTPS, and I can just block port 80 entirely
As far as backup software goes, it’s relatively young, but I like it. I recently switched to it for some personal backups. It’s like a fancier restic. I point it at Google Drive via rclone (baked into Kopia’s Docker image). If/when I run of storage there I may move to Backblaze B2.
This is a recent discovery. It’s like a dead-man’s switch for cron jobs, and has its own copious free tier. I have it integrated with Pushover and email, but it supports many other notification systems.
I first tried using Ansible to provision the infrastructure, but (slowly) realized why Terraform is preferred for this sort of work. The latter keeps track of state. With Ansible, I think I would’ve had to save the IDs of every piece of infra somewhere, and then read it back on startup, to avoid having it try to re-create what already exists.
I turned on its proxying for my Mastodon domain. I was worried at first since they seem to mess with traffic initiated by systems, but so far I haven’t noticed any problems.
I don’t feel great about using a service that supports right-wing extremists. I’d like to move away to one that’s less harmful. For now, I just promise myself not to give them any of my money. I don’t mind turning off their bot protection, and Caddy is able to automatically refresh a TLS cert, so they’re really only managing DNS for me right now.
Their customer service is atrocious and the product is stale. But I already had an account, so that’s what I went with. I turn off all email notifications from Mastodon itself except for password resets.
Overall, I’m very happy with how this all turned out. Maybe one day OCI will clamp down on its free tier or my account will get more popular (unlikely) and I’ll be forced to pay up for more infra, which is ok with me. I also like the idea of being the only one to blame when something goes wrong with my own instance.