Self Hosting in More Detail Than You Asked For
well i fell down the rabbit hole. this domain hosts 6 services and counting:
- nginx (serving you this page)
- gitea (for git hosting/collaboration)
- Pleroma (for federated
- Matrix (for chat/instant messaging)
- Jellyfin (for A/V streaming)
- Trust DNS (for serving the DNS records of all the above)
How It Started: A Brief History of Bitcoin
i have a caffeine problem. first thing in the morning, i brew myself 3 double-shots of espresso. it's not even "make one, drink it, make the second, drink it, make the third": i brew three cups at once and then sip them on the couch while catching up on "The News".
i wanted to break the habit. rather, i enjoy the benefits of caffeine, but i dislike the dependency. caffeine's not the only drug in its class, but you have to jump through hoops to obtain any of its cousins. pretty soon i got very accustomed to using Tor, PGP, etc. pretty soon i found myself caring much more about legal systems than before. and about social norms. and about the whole area of political philosophy. and pretty soon i noticed the weird chilling effects in my everyday life. the legal angle, obviously, but also just social inhibition: i don't want to be "that guy" who drags the whole room into a topic only i care about. and so when it comes to the bits of myself which are the most unusual, the most deviant, the most personal, i don't really have a space to explore those things openly. and that disappoints me.
What's a "Fediverse"?
there's this thing called Mastodon, oft categorized as a "decentralized Twitter". i tried it a few years ago and had a positive experience, but didn't really have that strong a desire for "social media" at the time. after pandemic madness, or maybe just after experiencing that shrinking social circle that my older friends like to complain about, i'm a little more curious about the social internet than before.
the novel thing about Mastodon is that it's "federated". anyone can host their own server and bridge it to the rest of the network. the main protocol it speaks is ActivityPub (AP), and there's a lot of software beyond Mastodon which speaks AP.
i discovered Pleroma, which claims support for hosting behind Tor, and i even found a few Tor-bridged instances out there. so i thought i'd set up my own and dive in.
How Do I Host This Shit
using Tor as a client is easy: just install the Tor browser and go. running a service behind Tor is slightly more complex, but still fairly easy to understand: run the Tor daemon. it exposes a SOCKS5 proxy service on port 9050. launch Pleroma and tell it to proxy all TCP traffic through that port. now you can make outbound requests to the Fediverse from behind Tor. but you have no public address yet, so you can't get incoming messages. configure Pleroma to listen on some local port. then configure Tor to run some Onion Service that's serviced by this local port. Tor will generate some <hash>.onion address which is now your publicly routable address.
to cap: external actors send HTTP/TCP requests to <hash>.onion, these are serviced by Pleroma and the response is sent back through this tunnel. when Pleroma is the initiator of a request, it proxies that to the recipient by tunneling it through a separate Tor SOCKS5 proxy. with this setup you can send messages to anyone on the Fediverse (Tor or clearnet), but you can only receive messages from those who understand .onion addresses.
this whole process is helpfully documented in the Pleroma docs.
Sounds Pretty Fragile
too much complexity? AHAHA. let's add more.
(there are millions of fridges out there running Linux as i write. i just saw somebody post a photo of their oven after its OS crashed. ponder that.)
so the worry here is that Pleroma might be tricked or bugged into ignoring the proxy and communicating over the clearnet. we can take inspiration from Whonix for this. set up two machines:
- the first machine (U) has two NICs. one NIC is connected to the WAN and the other NIC is connected directly to the second machine (D). U runs nothing but a Tor proxy, exposing only the proxy endpoint to D (and relaying traffic from its onion service to D).
- the second machine (D) has only the one NIC, connected directly to U. there is no way for any traffic to escape the machine except by passing through the Tor proxy.
in actuality, we'll want to restrict D even further: it probably has hardware WiFi or Bluetooth, which is just another vector. so we package up all the application software and throw it inside a VM on D, exposing no IO except that relevant NIC to the VM.
You're Telling Me It Was All for Naught?
as if you didn't see it coming. but hey, i'm sure you'll find some way to use all that infrastructure for your... Bitcoin activities.
so anyway, give up on your dream of perfect anonymity. you know first-hand now how difficult and restricting that actually is. meditate on why you're spending so much time fiddling with these logic gates and bits and reorient.
Self-Hosting Is Fetch
i think this whole Internet thing is maybe just a social playfield? something to do with exploration, connections, creativity, and self-discovery? an open environment wherein anyone with time/dedication can do these things?
wait, is that where the Web went?
i don't want to oversimplify or aggrandize it (i will anyway), but when i recount my favorite eras of the internet, they're like this:
- middle school: i built super amateur videogames with my buddies, hosted the downloads + discussion for these on a site we built by hand, and then distributed the binaries + web link by handing out CDs in the school hallway. it was stupidly successful (surely a function of the era).
- high school: i encountered my first fandom. i wrote amateur music, internet friends made the song art, these things were shared on blogs and Skype and message boards. i attended cons and had the repeat experience of somebody discovering "oh, you're the guy who made that" 10 minutes into one of those late-night hotel-room conversations.
- college: i maintained some open source projects and blogged about technical/academic topics. people from across the world emailed me private responses that must have taken hours to write. i'd video-chat with people to help them port/extend my software to larger purposes. a professor even assigned my work as reading material for their students.
and i never really got it. but i think it was just simple, social, creativity. and i want more of that in my life.
Stripping It Down
i don't really need anonymity for this project, in fact strict anonymity would detract from it. i just need whatever level of pseudonymity helps me to let my guard down (and to not worry about e.g. identity theft).
that host machine (D) already has all the stuff we need for a secure-enough system if we strip out the anonymizing function of U. so do that, and use your Pleroma instance to explore the Fediverse. respectably insert yourself into conversations with everyday people and make connections.
find some little bug, or missing feature, and create a fix for it.
set up a Matrix (or xmpp) instance and reach out to the devs to coordinate.
set up a gitea instance in which to host your improved version of the project and from which to initiate a merge request.
give yourself your own personal homepage on the Web with a static site builder like Zola.
throw all this behind nginx so that you can host these services on different subdomains on the same physical host.
certbot/LetsEncrypt to secure the http traffic in all of 10 minutes.
spin up different systemd-nspawn/LXC/Qemu instances to isolate each service, or ditch proper containerization and just embrace seperate, privilege-limited user accounts for each service.
you make the call.
just remember to take backups seriously, because things will go wrong as you're fiddling with all this stuff.
once you're tired of updating DNS subdomain records through your registrar's portal, host your own nameserver. point your toplevel domain to afraid.org's free & friendly dynamic DNS service if you have an unstable residential IP.
at some point, you'll have to deal with email. the state of email on the web is... pretty broken, so i'll forgive you if you settle on gmail/hosted Zoho/etc. really you can -- and maybe should -- skip as many of these components as you want if they don't align with your mission. but just remember that it's you who create the web. this was and can be a person to person network. and there are persons out there who want you in it. if you read this far and want a hand in any of it, reach out to another person. message me through one of the contacts listed on my about page. i promise i'll respond, in all likelihood i'll be happy to share this space with you.