draft a blog entry about my self-hosted setup
This commit is contained in:
Colin
parent
b920c46996
commit
9cf4d50a7e
|
|
@ -0,0 +1,105 @@
|
|||
+++
|
||||
title = "Self Hosting in More Detail Than You Asked For"
|
||||
date = 2022-03-29
|
||||
+++
|
||||
|
||||
well i fell down the rabbit hole. this domain hosts 6 services and counting:
|
||||
- nginx (serving you this page)
|
||||
- gitea (for git hosting/collaboration)
|
||||
- Pleroma (for federated ~~shitposting~~ social networking)
|
||||
- Matrix (for chat/instant messaging)
|
||||
- Jellyfin (for A/V streaming)
|
||||
- named (for serving the DNS records of all the above)
|
||||
|
||||
|
||||
How it Started: a Brief History of Bitcoin
|
||||
------------------------------------------
|
||||
|
||||
i have a caffeine problem.
|
||||
first thing in the morning, i brew myself 3 double-shots of espresso.
|
||||
it's not even like "make one, drink it, make the second, drink it, make the third": i brew three cups at once and _then_ go to sip them on the couch while catching up on "The News".
|
||||
|
||||
i wanted to break the habit. rather, i enjoy the _benefits_ of caffeine, but i dislike the _dependency_.
|
||||
there are "better" alternatives, if you don't know, but you have to jump through hoops for them.
|
||||
pretty soon i got _very_ accustomed to using Tor, PGP, etc.
|
||||
pretty soon i found myself caring much more about our legal system than before. and about our social norms. and about the whole area of political philosophy.
|
||||
and pretty soon i noticed just how frequently i censor myself. or perhaps how i never actually _am_ myself when operating online. and that disappoints me.
|
||||
|
||||
|
||||
What's a "Fediverse"?
|
||||
-------------------
|
||||
|
||||
there's this thing called Mastodon. people sometimes label it as a "decentralized Twitter".
|
||||
i tried it a few years ago, had a positive experience, but didn't really have that strong a desire for "social media" at the time.
|
||||
after pandemic madness, or maybe just after experiencing that shrinking social circle that people in their 30's like to complain about, i'm a little more curious about the social internet than before.
|
||||
|
||||
the great thing about Mastodon is that it's "federated". anyone can host their own server and bridge it to the rest of the network. the main protocol it speaks is ActivityPub, and in fact there's a lot of software beyond Mastodon which speaks AP.
|
||||
|
||||
i found Pleroma, which claims support for hosting behind Tor, and i even found a few Tor-bridged instances out there. so i thought i'd set up my own and dive in.
|
||||
|
||||
|
||||
How Do I Host This Shit
|
||||
-----------------------
|
||||
|
||||
using Tor as a client is super easy: just install the Tor browser and go. running a service behind Tor is slightly more complex, but still a fairly easy process to understand:
|
||||
run the Tor daemon. it exposes a SOCKS5 proxy service on port 8095 or something. launch Pleroma, and tell it to proxy all TCP traffic through port 8095. now you can make outbound requests to the Fediverse from behind Tor.
|
||||
but you have no public address yet, so you can't get incoming messages. configure Pleroma to listen on some local port. then configure Tor to run some Onion Service that's serviced by this local port. Tor will generate some <hash>.onion address which is now your publicly routable address.
|
||||
|
||||
to cap: external actors send HTTP/TCP requests to <hash>.onion, these are serviced by Pleroma and the response is sent back through this tunnel. when Pleroma is the _initiator_ of some request, it proxies that to the [clearnet] recipient by tunneling it through a separate Tor SOCKS5 proxy. with this setup you can _send_ messages to anyone on the Fediverse, but you can only _receive_ messages from those who understand .onion addresses.
|
||||
|
||||
|
||||
Sounds Pretty Fragile
|
||||
---------------------
|
||||
|
||||
too much complexity? HAHAHA. let's add more.
|
||||
|
||||
(there are millions of fridges out there running Linux as i write. i just saw somebody post a photo of their oven after its OS crashed. ponder that.)
|
||||
|
||||
so the worry here is that Pleroma might be tricked or bugged into ignoring the proxy and communicating over the clear net.
|
||||
we can take inspiration from Whonix for this. set up two machines:
|
||||
|
||||
- the first machine (U) has two NICs. one NIC is connected to the WAN, and the other is connected directly to the second machine (D). U runs nothing but a Tor proxy, exposing only the proxy endpoint to D (and relaying traffic from its Tor hidden service to D).
|
||||
- the second machine (D) has only the one NIC, connected directly to U. there is no way for any traffic to escape the machine except by passing through the Tor proxy.
|
||||
|
||||
in actuality, we'll want to restrict D even further: it probably has hardware WiFi or Bluetooth, which is just another vector. so we package up all the application software and throw it inside a VM on D, exposing no IO except that relevant NIC to the VM.
|
||||
|
||||
congrats, you've got a decently secure, anonymized computing setup. now you have to deal with the fact that even though Pleroma and Mastodon _support_ federation over Tor, it's an optional configuration that pretty much nobody out there enables. plus, the Pleroma frontend requires Javascript, which just means you've shifted the security burden from the server onto the client.
|
||||
|
||||
|
||||
You're Telling Me It Was All For Naught?
|
||||
----------------------------------------
|
||||
|
||||
as if you didn't see it coming. but hey, i'm sure you'll find some way to use all that infrastructure for your... _Bitcoin_ activities.
|
||||
|
||||
so anyway, give up on your dream of perfect anonymity. you know first-hand now how difficult and restricting that actually is. meditate on _why_ you're spending so much time fiddling with these logic gates and bits and as the cool kids who aren't actually cool say, "pivot".
|
||||
|
||||
|
||||
Self-hosting is Fetch
|
||||
---------------------
|
||||
|
||||
i think this whole Internet thing is maybe just a social playfield? something to do with exploration, connections, creativity, and self-discovery? and an open environment wherein _anyone with time/dedication_ can do these things?
|
||||
|
||||
wait, is _that_ where the Web went?
|
||||
|
||||
i don't want to oversimplify it, but when i recount my favorite eras of the internet, they're like this:
|
||||
- middle school: i built super amateur videogames with my buddies, hosted the downloads + discussion for these on a site we _built by hand_, and then distributed the binaries + web link by _handing out CDs in the school hallway_. it was _stupidly_ successful (surely a function of the era).
|
||||
- high school: i found my first fandom. i wrote amateur music, internet friends made the song art, these things got shared widely on blogs and Skype and message boards. i attended cons and had the repeat experience of somebody discovering "oh, you're the guy who made _that_" after 10 minutes of hotel-room conversation.
|
||||
- college: i maintained some open source projects and blogged about technical/academic topics. people from across the world emailed me private responses that must have taken _hours_ to write. i'd video-chat with people to help them port/extend my software for larger purposes. a professor even assigned my work as reading material for their students.
|
||||
|
||||
and i never really _got_ it. but i think it was just simple, social, creativity. and i want more of that in my life.
|
||||
|
||||
|
||||
Stripping it down
|
||||
-----------------
|
||||
|
||||
that host machine (D) already has all the stuff we need for a secure-enough system if we strip out the anonymizing function of U. so do that, and use your Pleroma instance to explore the Fediverse. respectably insert yourself into conversations with everyday people and _make connections_.
|
||||
|
||||
find some little bug, or missing feature, and _create_ a fix for it. set up a Matrix (or xmpp) instance and reach out to the devs to coordinate. set up a gitea instance in which to host your improved version of the project and from which to initiate a merge request. give yourself your own _personal_ homepage on the Web with a static site builder like Zola. throw all this behind nginx so that you can host these services on different subdomains on the same physical host. use `certbot`/LetsEncrypt to secure the http traffic in all of 10 minutes. spin up different Qemu instances to isolate each service, or use LXC, or just embrace seperate, privilege-limited user accounts for each service (in which case you could ditch the VM altogether). you make the call. just remember to take backups seriously, because things _will_ go wrong as you're fiddling with all this stuff.
|
||||
|
||||
once you're tired of updating DNS subdomain records through your registrar's portal, host your own nameserver. point your toplevel domain to afraid.org's free dynamic DNS service if you have an unstable residential IP.
|
||||
|
||||
at some point, you'll have to deal with email. i'm still working on that part, so i'll forgive you if you settle on gmail/hosted Zoho/etc. really you can any maybe should skip as many of these components as you want if they don't align with your mission.
|
||||
but just remember that it's *you* who create the web. this was and can be a _person to person_ network. and there are persons out there who _want you in it_. if you get this far and want a hand in any of it, reach out to another person. message me on Pleroma <https://fed.uninsane.org/colin> or on Matrix <@colin:matrix.uninsane.org>. i promise i will respond, and i will be _happy_ to do so.
|
||||
|
||||
Colin
|
||||
|
||||
Loading…
Reference in New Issue