Authentication: Users can login, logout, register and reset their password. (for increased security TOTP is planned aswell.)
Observability: The stack contains an Grafana+Prometheus instance for basic monitoring. You are able to add alerts and get notified on your phone.
Mail: You are able to send mail with SMTP. You still need an external Mail Server, but a guide on how to set that up with a custom domain is included.
SSL: This is included by using traefik as reverse proxy. It handles SSL certificates automatically. Furthermore all services are accessible through subdomains.
Stack: Tailwindcss + HTMX + GO Backend with templ and sqlite

Architecture Design Decisions

Authentication

Authentication is a broad topic. Many people think you should not consider implementing authentication yourself. On the other hand, If only security experts are allowed to write software, what does that result in? I'm going to explain my criterions and afterwards take a decision.

There are a few restrictions I would like to contain:

I want this template do as much as as possible without relying on external services. This way the setup cost and dependencies can be minimized.
It should still be possible to run on a small VPC (2vcpu, 2GB).
It should be as secure as possible

I determined 4 options:

Implement the authentication myself
Using OAuth2 with Keycloak
Using OAuth2 with Google and Apple
Firebase, Clerk, etc.

1. Implement the authentication myself

It's always possible to implement it myself. The topic of authentication is something special though.

Pros: - Great Cheat cheets from OWASP - No adittional configuration or services needed - Great learning experience on the topic "security" Cons: - Great attack vector - Introcution of vlunerabillities is possible - No DDOS protection

2. Using OAuth2 with Google and Apple

Instead of implementing authentication from scratch, an external OAuth2 provider is embedded into the application.

Pros: - The Systems of BigTech are probably safer. They have security experts employed. - The other external system is responsible to prevent credential stuffing attacks, etc. - Users don't have to create new credentials Cons: - High dependency on those providers - Single Point of failure (If your account is banned, your application access get's lost as well.) - It's possible that these providers ban the whole application (All users lose access) - There still needs to be implemented some logic - Full application integration can be difficult

3. Using OAuth2 with Keycloak

This option is almost identical with the previois one, but the provider is self hosted.

Pros: - Indipendent from 3rd party providers - The credentials are stored safly Cons: - Self hosted (no DDOS protection, etc.) - There still needs to be implemented some logic server side - Full application integration can be difficult

4. Firebase, Clerk, etc.

Users can sign in with a seperate sdk on your website

Pros: - Safe and Sound authentication Cons: - Dependent on those providers / adittional setup needed - Application can be banned - Still some integration code needed

Decision

I've decided on implementing authentication myself, as this is a great learning opportunity. It may not be as secure as other solutions, but if I keep tighly to the OWASP recommendations, it should should good enough.

Email

For Email verification, etc. a mail server is needed, that can send a whole lot of mails. Aditionally, a mail account is needed for incoming emails. I thought about self hosting, but unfortunatly this is a hastle to maintain. Not only you have to setup a mail server, which is not as easy as it sounds, you also have to "register" your mail server for diffrent providers. Otherwise you are not able to send and receive emails.

In order to not vendor lock in, I decided to use an SMTP relay in favor of a vendor specific API. I chose brevo.com. They have a generous free tier of 300 mails per day. You can either upgrade to a monthly plan 10$ for 20k mails or buy credits for 30$ for 5k mails.

Languages

Go 90.6%

templ 7.9%

Dockerfile 0.8%

JavaScript 0.5%

CSS 0.2%