colin
/
uninsane
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

blog: self-hosting: editing pass

This commit is contained in:
Colin 2022-04-05 23:42:19 +00:00
parent 080bda87c8
commit 7b94be103c
1 changed files with 68 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
content/blog/2022-03-29-self-hosting.md
View File

@ -17,45 +17,63 @@ well i fell down the rabbit hole. this domain hosts 6 services and counting:
i have a caffeine problem.
first thing in the morning, i brew myself 3 double-shots of espresso.
it's not even like "make one, drink it, make the second, drink it, make the third": i brew three cups at once and _then_ go to sip them on the couch while catching up on "The News".
it's not even "make one, drink it, make the second, drink it, make the third": i brew three cups at once and _then_ sip them on the couch while catching up on "The News".
i wanted to break the habit. rather, i enjoy the _benefits_ of caffeine, but i dislike the _dependency_.
there are "better" alternatives, if you don't know, but you have to jump through hoops for them.
caffeine's not the only drug in its class, but you have to jump through hoops to obtain any of its cousins.
pretty soon i got _very_ accustomed to using Tor, PGP, etc.
pretty soon i found myself caring much more about our legal system than before. and about our social norms. and about the whole area of political philosophy.
and pretty soon i noticed just how frequently i censor myself. or perhaps how i never actually _am_ myself when operating online. and that disappoints me.
pretty soon i found myself caring much more about legal systems than before. and about social norms. and about the whole area of political philosophy.
and pretty soon i noticed the weird chilling effects in my everyday life.
the legal angle, obviously, but also just social inhibition:
i don't want to be "that guy" who drags the whole room into a topic only i care about.
and so when it comes to the bits of myself which are the most unusual, the most deviant, the most personal,
i don't really have a space to explore those things openly.
and that disappoints me.
## What's a "Fediverse"?
there's this thing called Mastodon. people sometimes label it as a "decentralized Twitter".
i tried it a few years ago, had a positive experience, but didn't really have that strong a desire for "social media" at the time.
after pandemic madness, or maybe just after experiencing that shrinking social circle that people in their 30's like to complain about, i'm a little more curious about the social internet than before.
there's this thing called [Mastodon](https://en.wikipedia.org/wiki/Mastodon_\(software\)), oft categorized as a "decentralized Twitter".
i tried it a few years ago and had a positive experience, but didn't really have that strong a desire for "social media" at the time.
after pandemic madness, or maybe just after experiencing that shrinking social circle that my older friends like to complain about, i'm a little more curious about the social internet than before.
the great thing about Mastodon is that it's "federated". anyone can host their own server and bridge it to the rest of the network. the main protocol it speaks is ActivityPub, and in fact there's a lot of software beyond Mastodon which speaks AP.
the novel thing about Mastodon is that it's "federated".
anyone can host their own server and bridge it to the rest of the network.
the main protocol it speaks is ActivityPub (AP), and there's a lot of software beyond Mastodon which speaks AP.
i found Pleroma, which claims support for hosting behind Tor, and i even found a few Tor-bridged instances out there. so i thought i'd set up my own and dive in.
i discovered [Pleroma](https://pleroma.social/), which claims support for hosting behind Tor, and i even found a few Tor-bridged instances out there.
so i thought i'd set up my own and dive in.
## How Do I Host This Shit
using Tor as a client is super easy: just install the Tor browser and go. running a service behind Tor is slightly more complex, but still a fairly easy process to understand:
run the Tor daemon. it exposes a SOCKS5 proxy service on port 8095 or something. launch Pleroma, and tell it to proxy all TCP traffic through port 8095. now you can make outbound requests to the Fediverse from behind Tor.
but you have no public address yet, so you can't get incoming messages. configure Pleroma to listen on some local port. then configure Tor to run some Onion Service that's serviced by this local port. Tor will generate some <hash>.onion address which is now your publicly routable address.
using Tor as a client is easy: just install the Tor browser and go.
running a service behind Tor is slightly more complex, but still fairly easy to understand:
run the Tor daemon. it exposes a SOCKS5 proxy service on port 9050.
launch Pleroma and tell it to proxy all TCP traffic through that port.
now you can make outbound requests to the Fediverse from behind Tor.
but you have no public address yet, so you can't get incoming messages.
configure Pleroma to listen on some local port.
then configure Tor to run some Onion Service that's serviced by this local port. Tor will generate some \<hash\>.onion address which is now your publicly routable address.
to cap: external actors send HTTP/TCP requests to <hash>.onion, these are serviced by Pleroma and the response is sent back through this tunnel. when Pleroma is the _initiator_ of some request, it proxies that to the [clearnet] recipient by tunneling it through a separate Tor SOCKS5 proxy. with this setup you can _send_ messages to anyone on the Fediverse, but you can only _receive_ messages from those who understand .onion addresses.
to cap: external actors send HTTP/TCP requests to \<hash\>.onion, these are serviced by Pleroma and the response is sent back through this tunnel.
when Pleroma is the _initiator_ of a request, it proxies that to the recipient by tunneling it through a separate Tor SOCKS5 proxy.
with this setup you can _send_ messages to anyone on the Fediverse (Tor or clearnet), but you can only _receive_ messages from those who understand .onion addresses.
this whole process is helpfully documented in the Pleroma [docs](https://docs.pleroma.social/backend/configuration/onion_federation/).
## Sounds Pretty Fragile
too much complexity? HAHAHA. let's add more.
too much complexity? AHAHA. let's add more.
(there are millions of fridges out there running Linux as i write. i just saw somebody post a photo of their oven after its OS crashed. ponder that.)
so the worry here is that Pleroma might be tricked or bugged into ignoring the proxy and communicating over the clear net.
we can take inspiration from Whonix for this. set up two machines:
so the worry here is that Pleroma might be tricked or bugged into ignoring the proxy and communicating over the clearnet.
we can take inspiration from [Whonix](https://en.wikipedia.org/wiki/Whonix) for this.
set up two machines:
- the first machine (U) has two NICs. one NIC is connected to the WAN, and the other is connected directly to the second machine (D). U runs nothing but a Tor proxy, exposing only the proxy endpoint to D (and relaying traffic from its Tor hidden service to D).
- the first machine (U) has two NICs. one NIC is connected to the WAN and the other NIC is connected directly to the second machine (D). U runs nothing but a Tor proxy, exposing only the proxy endpoint to D (and relaying traffic from its onion service to D).
- the second machine (D) has only the one NIC, connected directly to U. there is no way for any traffic to escape the machine except by passing through the Tor proxy.
in actuality, we'll want to restrict D even further: it probably has hardware WiFi or Bluetooth, which is just another vector. so we package up all the application software and throw it inside a VM on D, exposing no IO except that relevant NIC to the VM.
@ -65,20 +83,23 @@ congrats, you've got a decently secure, anonymized computing setup. now you have
## You're Telling Me It Was All for Naught?
as if you didn't see it coming. but hey, i'm sure you'll find some way to use all that infrastructure for your... _Bitcoin_ activities.
as if you didn't see it coming.
but hey, i'm sure you'll find some way to use all that infrastructure for your... _Bitcoin_ activities.
so anyway, give up on your dream of perfect anonymity. you know first-hand now how difficult and restricting that actually is. meditate on _why_ you're spending so much time fiddling with these logic gates and bits and as the cool kids who aren't actually cool say, "pivot".
so anyway, give up on your dream of perfect anonymity. you know first-hand now how difficult and restricting that actually is. meditate on _why_ you're spending so much time fiddling with these logic gates and bits and reorient.
## Self-Hosting Is Fetch
i think this whole Internet thing is maybe just a social playfield? something to do with exploration, connections, creativity, and self-discovery? an open environment wherein _anyone with time/dedication_ can do these things?
i think this whole Internet thing is maybe just a social playfield?
something to do with exploration, connections, creativity, and self-discovery?
an open environment wherein _anyone_ with time/dedication can do these things?
wait, is _that_ where the Web went?
i don't want to oversimplify it, but when i recount my favorite eras of the internet, they're like this:
i don't want to oversimplify or aggrandize it (i will anyway), but when i recount my favorite eras of the internet, they're like this:
- middle school: i built super amateur videogames with my buddies, hosted the downloads + discussion for these on a site we _built by hand_, and then distributed the binaries + web link by _handing out CDs in the school hallway_. it was _stupidly_ successful (surely a function of the era).
- high school: i found my first fandom. i wrote amateur music, internet friends made the song art, these things got shared widely on blogs and Skype and message boards. i attended cons and had the repeat experience of somebody discovering "oh, you're the guy who made _that_" 10 minutes into one of the late-night hotel-room conversations.
- high school: i encountered my first fandom. i wrote amateur music, internet friends made the song art, these things were shared on blogs and Skype and message boards. i attended cons and had the repeat experience of somebody discovering "oh, you're the guy who made _that_" 10 minutes into one of those late-night hotel-room conversations.
- college: i maintained some open source projects and blogged about technical/academic topics. people from across the world emailed me private responses that must have taken _hours_ to write. i'd video-chat with people to help them port/extend my software to larger purposes. a professor even assigned my work as reading material for their students.
and i never really _got_ it. but i think it was just simple, social, creativity. and i want more of that in my life.
@ -86,14 +107,34 @@ and i never really _got_ it. but i think it was just simple, social, creativity.
## Stripping It Down
that host machine (D) already has all the stuff we need for a secure-enough system if we strip out the anonymizing function of U. so do that, and use your Pleroma instance to explore the Fediverse. respectably insert yourself into conversations with everyday people and _make connections_.
i don't really need anonymity for this project, in fact strict anonymity would _detract_ from it. i just need whatever level of pseudonymity helps me to let my guard down (and to not worry about e.g. identity theft).
find some little bug, or missing feature, and _create_ a fix for it. set up a Matrix (or xmpp) instance and reach out to the devs to coordinate. set up a gitea instance in which to host your improved version of the project and from which to initiate a merge request. give yourself your own _personal_ homepage on the Web with a static site builder like Zola. throw all this behind nginx so that you can host these services on different subdomains on the same physical host. use `certbot`/LetsEncrypt to secure the http traffic in all of 10 minutes. spin up different systemd-nspawn/LXC/Qemu instances to isolate each service, or ditch proper containerization and just embrace seperate, privilege-limited user accounts for each service. you make the call. just remember to take backups seriously, because things _will_ go wrong as you're fiddling with all this stuff.
that host machine (D) already has all the stuff we need for a secure-enough system if we strip out the anonymizing function of U.
so do that, and use your Pleroma instance to explore the Fediverse.
respectably insert yourself into conversations with everyday people and _make connections_.
once you're tired of updating DNS subdomain records through your registrar's portal, host your own nameserver. point your toplevel domain to afraid.org's free dynamic DNS service if you have an unstable residential IP.
find some little bug, or missing feature, and _create_ a fix for it.
set up a Matrix (or xmpp) instance and reach out to the devs to coordinate.
set up a gitea instance in which to host your improved version of the project and from which to initiate a merge request.
give yourself your own _personal_ homepage on the Web with a static site builder like Zola.
throw all this behind nginx so that you can host these services on different subdomains on the same physical host.
use `certbot`/LetsEncrypt to secure the http traffic in all of 10 minutes.
spin up different systemd-nspawn/LXC/Qemu instances to isolate each service, or ditch proper containerization and just embrace seperate, privilege-limited user accounts for each service.
you make the call.
just remember to take backups seriously, because things _will_ go wrong as you're fiddling with all this stuff.
at some point, you'll have to deal with email. i'm still working on that part, so i'll forgive you if you settle on gmail/hosted Zoho/etc. really you can any maybe should skip as many of these components as you want if they don't align with your mission.
but just remember that it's *you* who create the web. this was and can be a _person to person_ network. and there are persons out there who _want you in it_. if you get this far and want a hand in any of it, reach out to another person. message me on [Pleroma](https://fed.uninsane.org/colin) or on Matrix <@colin:matrix.uninsane.org>. i promise i will respond, and i will be _happy_ to do so.
once you're tired of updating DNS subdomain records through your registrar's portal, host your own nameserver.
point your toplevel domain to [afraid.org](https://freedns.afraid.org/)'s free & friendly dynamic DNS service if you have an unstable residential IP.
at some point, you'll have to deal with email.
the state of email on the web is... pretty broken, so i'll forgive you if you settle on gmail/hosted Zoho/etc.
really you can -- and maybe should -- skip as many of these components as you want if they don't align with your mission.
but just remember that it's *you* who create the web.
this was and can be a _person to person_ network.
and there are persons out there who _want you in it_.
if you read this far and want a hand in any of it, reach out to another person.
message me on [Pleroma](https://fed.uninsane.org/colin) or on Matrix <@colin:matrix.uninsane.org>.
i promise i'll respond, in all likelihood i'll be _happy_ to share this space with you.
Colin