/ home / blog about

Self Hosting in More Detail Than You Asked For

2022/03/29

well i fell down the rabbit hole. this domain hosts 6 services and counting:

How It Started: A Brief History of Bitcoin

i have a caffeine problem. first thing in the morning, i brew myself 3 double-shots of espresso. it's not even "make one, drink it, make the second, drink it, make the third": i brew three cups at once and then sip them on the couch while catching up on "The News".

i wanted to break the habit. rather, i enjoy the benefits of caffeine, but i dislike the dependency. caffeine's not the only drug in its class, but you have to jump through hoops to obtain any of its cousins. pretty soon i got very accustomed to using Tor, PGP, etc. pretty soon i found myself caring much more about legal systems than before. and about social norms. and about the whole area of political philosophy. and pretty soon i noticed the weird chilling effects in my everyday life. the legal angle, obviously, but also just social inhibition: i don't want to be "that guy" who drags the whole room into a topic only i care about. and so when it comes to the bits of myself which are the most unusual, the most deviant, the most personal, i don't really have a space to explore those things openly. and that disappoints me.

What's a "Fediverse"?

there's this thing called Mastodon, oft categorized as a "decentralized Twitter". i tried it a few years ago and had a positive experience, but didn't really have that strong a desire for "social media" at the time. after pandemic madness, or maybe just after experiencing that shrinking social circle that my older friends like to complain about, i'm a little more curious about the social internet than before.

the novel thing about Mastodon is that it's "federated". anyone can host their own server and bridge it to the rest of the network. the main protocol it speaks is ActivityPub (AP), and there's a lot of software beyond Mastodon which speaks AP.

i discovered Pleroma, which claims support for hosting behind Tor, and i even found a few Tor-bridged instances out there. so i thought i'd set up my own and dive in.

How Do I Host This Shit

using Tor as a client is easy: just install the Tor browser and go. running a service behind Tor is slightly more complex, but still fairly easy to understand: run the Tor daemon. it exposes a SOCKS5 proxy service on port 9050. launch Pleroma and tell it to proxy all TCP traffic through that port. now you can make outbound requests to the Fediverse from behind Tor. but you have no public address yet, so you can't get incoming messages. configure Pleroma to listen on some local port. then configure Tor to run some Onion Service that's serviced by this local port. Tor will generate some <hash>.onion address which is now your publicly routable address.

to cap: external actors send HTTP/TCP requests to <hash>.onion, these are serviced by Pleroma and the response is sent back through this tunnel. when Pleroma is the initiator of a request, it proxies that to the recipient by tunneling it through a separate Tor SOCKS5 proxy. with this setup you can send messages to anyone on the Fediverse (Tor or clearnet), but you can only receive messages from those who understand .onion addresses.

this whole process is helpfully documented in the Pleroma docs.

Sounds Pretty Fragile

too much complexity? AHAHA. let's add more.

(there are millions of fridges out there running Linux as i write. i just saw somebody post a photo of their oven after its OS crashed. ponder that.)

so the worry here is that Pleroma might be tricked or bugged into ignoring the proxy and communicating over the clearnet. we can take inspiration from Whonix for this. set up two machines:

in actuality, we'll want to restrict D even further: it probably has hardware WiFi or Bluetooth, which is just another vector. so we package up all the application software and throw it inside a VM on D, exposing no IO except that relevant NIC to the VM.

congrats, you've got a decently secure, anonymized computing setup. now you have to deal with the fact that even though Pleroma and Mastodon support federation over Tor, it's an optional configuration that pretty much nobody out there enables. plus, the Pleroma frontend requires Javascript, which just means you've shifted the security burden from the server onto the client.

You're Telling Me It Was All for Naught?

as if you didn't see it coming. but hey, i'm sure you'll find some way to use all that infrastructure for your... Bitcoin activities.

so anyway, give up on your dream of perfect anonymity. you know first-hand now how difficult and restricting that actually is. meditate on why you're spending so much time fiddling with these logic gates and bits and reorient.

Self-Hosting Is Fetch

i think this whole Internet thing is maybe just a social playfield? something to do with exploration, connections, creativity, and self-discovery? an open environment wherein anyone with time/dedication can do these things?

wait, is that where the Web went?

i don't want to oversimplify or aggrandize it (i will anyway), but when i recount my favorite eras of the internet, they're like this:

and i never really got it. but i think it was just simple, social, creativity. and i want more of that in my life.

Stripping It Down

i don't really need anonymity for this project, in fact strict anonymity would detract from it. i just need whatever level of pseudonymity helps me to let my guard down (and to not worry about e.g. identity theft).

that host machine (D) already has all the stuff we need for a secure-enough system if we strip out the anonymizing function of U. so do that, and use your Pleroma instance to explore the Fediverse. respectably insert yourself into conversations with everyday people and make connections.

find some little bug, or missing feature, and create a fix for it. set up a Matrix (or xmpp) instance and reach out to the devs to coordinate. set up a gitea instance in which to host your improved version of the project and from which to initiate a merge request. give yourself your own personal homepage on the Web with a static site builder like Zola. throw all this behind nginx so that you can host these services on different subdomains on the same physical host. use certbot/LetsEncrypt to secure the http traffic in all of 10 minutes. spin up different systemd-nspawn/LXC/Qemu instances to isolate each service, or ditch proper containerization and just embrace seperate, privilege-limited user accounts for each service. you make the call. just remember to take backups seriously, because things will go wrong as you're fiddling with all this stuff.

once you're tired of updating DNS subdomain records through your registrar's portal, host your own nameserver. point your toplevel domain to afraid.org's free & friendly dynamic DNS service if you have an unstable residential IP.

at some point, you'll have to deal with email. the state of email on the web is... pretty broken, so i'll forgive you if you settle on gmail/hosted Zoho/etc. really you can -- and maybe should -- skip as many of these components as you want if they don't align with your mission. but just remember that it's you who create the web. this was and can be a person to person network. and there are persons out there who want you in it. if you read this far and want a hand in any of it, reach out to another person. message me through one of the contacts listed on my about page. i promise i'll respond, in all likelihood i'll be happy to share this space with you.

Colin