How to completely self host Standard Notes - Part 1

Part 1

This part will cover setting up your own self-hosted Standard Notes instance and routing your instance through nginx to allow for public exposure. Part 2 will cover self hosting Standard Notes Extensions to allow you to use extensions within your instance, such as a Markdown editor or secure spreadsheets.

What is Standard Notes

Standard Notes is a free, open-source, and completely encrypted notes app. Being open-source, allows anyone to self-host their own Standard Notes server. Which means that you own all of your data, on your own server.

Standard Notes is great for a secure, private, encypted note taking solution. Even without self-hosting, all notes are E2E (end-to-end) encrypted. This means that nobody, other than yourself, can view the notes that you have written.

READ ALSO:
GitHub - Chatcola-com/chatcola: chatcola.com messaging server - self-host your messages without multi-domain hell!

I have written about Standard Notes in my My Self Hosted Note Syncing Journey Once Switching to Iphone blog post.

Self-hosting Standard Notes is probably for the paranoid and the curious. I was the latter!

It’s relativley simple and gives you piece of mind knowing that only you own your data.

Step 1: Setting up the syncing server

You’ll need to set up a new Linux server. I’ll be using a Ubuntu Server instance which I self host in Proxmox. This new server will need to have Docker and Docker Compose installed.

These can be installed by running the following commands on your server after you have ssh’d to your server

READ ALSO:
Self-host your very own strongSwan IKEv2/IPsec state-of-the-art VPN server for iOS and macOS
Self-host your very own strongSwan IKEv2/IPsec state-of-the-art VPN server for iOS and macOS. Step 3: Create a SSH key pair for vpn-server.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install docker.io
sudo apt-get install docker-compose

Next, you’ll need to create a new folder in your home directory of your server. Mine would be /home/ed/ for example.

mkdir standard-notes-server
cd standard-notes-server

In the standard-notes-server directory, you’ll need to create an new file named docker-compose.yml

touch docker-compose.yml

Open this file with your favorite editor, I use Vim.

You’ll need to paste the following yaml code into the docker-compose.yml file. This is what Docker Compose reads to provision your Docker container.

version: '3'
services:
  app:
    build: .
    command: start-local
    env_file: .env
    restart: unless-stopped
    environment:
      DB_HOST: db
    ports:
      - ${EXPOSED_PORT}:3000
    volumes:
      - .:/syncing-server
    links:
      - db
  db:
    image: mysql:5.7
    environment:
      MYSQL_DATABASE: '${DB_DATABASE}'
      MYSQL_USER: '${DB_USERNAME}'
      MYSQL_PASSWORD: '${DB_PASSWORD}'
      MYSQL_ROOT_PASSWORD: '${DB_ROOT_PASSWORD}'
    expose:
      - 3306
    ports:
      - 3306
    restart: unless-stopped
    command: --default-authentication-plugin=mysql_native_password --character-set-server=utf8 --collation-server=utf8_general_ci
    volumes:
      - ./data:/var/lib/mysql

READ ALSO:
Configuring DNS-Over-HTTPS on Pi-hole
This means that the connection from the device to the DNS server is secure and can not easily be snooped, monitored, tampered with or blocked.In the following sections we will be covering how to install and configure this tool on.

Save docker-compose.yml and exit back to the folder.

You’ll also need the create a .env file. This is where your environment variables will be stored.

touch .env

Again, edit this file with your favorite editor and paste in the following.

# Rails Settings

EXPOSED_PORT=3000
RAILS_ENV=production
RAILS_LOG_TO_STDOUT=false

# Database Settings

DB_PORT=3306
DB_HOST=127.0.0.1
DB_DATABASE=standard_notes_db
DB_USERNAME=std_notes_user

# Please change this!
DB_PASSWORD=changeme123

# Please change this!
DB_ROOT_PASSWORD=changeme123

DB_POOL_SIZE=30
DB_WAIT_TIMEOUT=180

SECRET_KEY_BASE=changeme123

# Disable user registration
#DISABLE_USER_REGISTRATION=true

# Datadog
DATADOG_ENABLED=false

READ ALSO:
Remote Code Execution on most Dell computers

Save and exit that file.

Now, ensure that you’re in the standard-notes-server directory and run the following command.

docker-compose up -d

This will start docker, using the docker-compose.yml file and run the server in detached mode.

You should hopefully have an instance running at http://localhost:3000

Your MySQL Data will be written to your local disk at /var/lib/mysql - Be sure to back this up.

Step 2: Setting up Nginx

Nginx is a reverse proxy that allows you to point incoming web traffic to your new Standard Notes syncing server. If you only intend on using Standard Notes locally, you can skip this section entirely.

Installation

sudo apt install nginx

If you have UFW installed, you will have to Allow Nginx through your local firewall.

READ ALSO:
GitHub - SadeghHayeri/GreenTunnel: GreenTunnel is an anti-censorship utility designed to bypass the DPI system that is put in place by various ISPs to block access to certain websites.

I have a tutorial for setting up UFW here

sudo ufw app list

Output
---

Available applications:
  Nginx Full
  Nginx HTTP
  Nginx HTTPS
  OpenSSH

As you can see, there are three profiles available for Nginx:

Nginx Full: This profile opens both port 80 (normal, unencrypted web traffic) and port 443 (TLS/SSL encrypted traffic)
Nginx HTTP: This profile opens only port 80 (normal, unencrypted web traffic)
Nginx HTTPS: This profile opens only port 443 (TLS/SSL encrypted traffic)

It is recommended that you enable the most restrictive profile that will still allow the traffic you’ve configured. Since we haven’t configured SSL for our server yet in this guide, we will only need to allow traffic on port 80.

READ ALSO:
How to Set Up a Pi-Hole Ad Blocking VPN Server on Google Cloud’s Always Free Usage Tier

You can enable this by typing:

sudo ufw allow 'Nginx HTTP'

Checking your webserver is up and running

sudo systemctl status nginx

You should see something that looks like the following

● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running)
...

Step 3: Pointing Nginx to your syncing server

The next part allows us to take incoming traffic and point it to your container instance. Allowing you to expose your syncing server to the internet.

READ ALSO:
Dnsmasq-based DNS blocking

This will allow you to hook up Standard Notes on any device and sync your notes privatley.

If someone gets hold of your public endpoint, your notes will still be safe as they are encrypted with your Standard Notes username and password.

Navigate to /etc/nginx/

cd /etc/nginx/

Use your favorite text editor and open the following file with sudo

sudo vim nginx.conf

I use the following code for my syncing server

server {
    listen 80;
    listen [::]:80;
    server_name notes.bowlerdesign.tech;

    location / {
        proxy_pass http://127.0.0.1:3000; # syncing-server address
    }
}

Step 4: Port-forwarding

READ ALSO:
Protect Your Browsing With DNS Over TLS

You will need to port forward your instance to allow public access to your instance. This will involve googling how to port forward from your router.

You’ll need to point port 80 to your instance where nginx is set up.

Step 5: Linking Standard Notes with your public domain

You will also need to set up a public domain name. This can then be used to call your new public instance with port 80 exposed.

For example, I would set up a sub domain on bowlerdesign.tech to be notes.bowlerdesign.tech. Notice this is also the domain I specified in my nginx config above.

Here’s something to search for with regards to setting up a domain name