
Taking back control of my digital life - fallenhitokiri
https://screamingatmyscreen.com/2018/5/taking-back-control-of-my-digital-life/
======
8fingerlouie
I've been steadily moving everything back home ever since Snowden revealed
just how much snooping is going on, and with the last few years worth of
scandals, it seems i've made the right choice.

Initially i went the Raspberry Pi route, and in a few months i had 4 or 5 of
them running, which was where it started turning into a chore. While i enjoy
tinkering, i don't particularly enjoy keeping a host of machine up to date.

Fast forward a couple of years, and my home setup now looks like this :

\- UBNT EdgeRouter for that sweet affordable hardware L2TP/IPSec VPN.

\- Intel NUC6, Running everything internet facing in FreeBSD Jails.

\- Intel NUC7, Running everything internally available through Docker, along
with Time Machine backups.

\- Synology DS716+, Holds all data from both NUC machines, as well as personal
files (documents/photos/music/movies)

Resilio Sync is running on the external NUC to provide an "always on" node.

I have a couple of ODroid HC1 boxes that holds my backups, one at home and one
at a remote location.

The only thing i have yet to migrate is mail, which is still located at
GSuite. I've moved several times, but every time i decide it's not worth the
effort. Since "everybody" uses GMail every mail i send will eventually get
indexed as well, regardless of where i store my own mail. I use GSuite for
hosting 5 domains, and i've yet to find an alternative that doesn't require
either lots of money or lots of administration from me.

~~~
icebraining
I've set up a personal mail server using Debian + Exim + Dovecot (with sieve).
It took a bit of time at the start, but besides the couple of hours it took to
add DMARC a couple of years ago, and checking the backups are working, I never
have to touch it. I give out a different address for each company, so dealing
with spam is just blacklisting it (only happened an handful of times).

~~~
8fingerlouie
My main issue is that my ISP blocks SMTP(S) ports, meaning i'll have to host
it on a VPS somewhere. While i would avoid being indexed, i wouldn't truly own
my data anyway. I have a 300/300 mbit fiber connection, so in theory i could
mount the storage over VPN, but that just adds more places things can go
wrong.

Also, i remember from running my own mailserver 5-8 years ago, that keeping it
off various spam blacklists is a job in itself.

~~~
icebraining
Yes, ISP restrictions are a pain. If they only block outbound connections to
port 25, you could receive directly, and use a smarthost (on a VPS or an email
service) just to send. That's what I did when I ran it at home (my ISP didn't
block, but the IP range was listed on Spamhaus PBL).

As for blacklists, that's not been my experience at all, but YMMV.

------
fouc
Recently I was wondering what if all our phones and computers all connected to
our own personal "platform" that we have full control over.

Route everything on the phone through a personal platform. Gain control of
location, IP, maps caching, etc.

Centralize at a personal level.

~~~
close04
A platform is useful for the other services it provides: Google funnels your
data but give you better search, MS swipes some info about your PC to give you
better drivers, Facebook takes all your likes and dislikes to give you stories
to your taste. [talking about stated interest here]

What would your personal platform do? How would it take that data and turn it
into something useful while also removing the privacy concerns?

Best you can do is have something that blocks or spoofs that data before
sending it to the "collector". So you gain the privacy and you lose on the
service improvement. If this is legitimate concern you can try to drop the
most intrusive platforms from your digital life. These would most likely be
Google and Facebook.

Alternatively there are options for you to use with more limited effect: ad
and tracker blockers, secure or anonymous browsers, VPN, stricter privacy
settings on your devices, etc. The end result is usually the same: the less
data you provide them, the less useful their service is. Which makes trading
your info even less enticing.

~~~
ACS_Solver
Yeah, that's the crux of the matter. I'm one of the rare (outside the HN
bubble at least) tech users who try hard to retain control of data and avoid
cloud providers. I've never used Gmail, I have a Google account but almost
never sign into it, I don't have a Facebook account, I aggressively block ads,
tracking scripts, etc, etc. It seems like the main cost I'm paying for that
isn't the setup effort (setting up a mail server for instance is mostly a one-
time effort), it's the lack of some really neat features. I don't get Google
alerts relevant to items on my calendar, the photos I take with my phone stay
there until I manually transfer them to my PC, I don't have an easy way to
look up which restaurant I visited in another city 2 years ago, and the list
keeps getting bigger.

I really like the idea of having centralization at a personal level, but it
seems like the most you can get out of it is fairly hassle-free
synchronization of your stuff between devices. Which is nice, but I don't see
how it could provide Google-style features that are useful mainly because of
the aggregation of many gigabytes of user data per day.

~~~
close04
Yeah, that's what I was also curious about: to what extent can you use the
data you collect from yourself to get some genuinely useful outcome? How do I
get a better news feed, search results, restaurant recommendations, etc. using
the data on my personal platform?

Because there are 2 sides of this issue: not giving up your data and using it
productively.

~~~
ACS_Solver
One thing that seems reasonably possible is to get restaurant recommendations
if you built your own app for that. You'd have to tag restaurants you enjoy or
frequent manually, in order to avoid providing location data to Google, but
with that input you could rank restaurants in any area by how similar they are
to your preferred places. This has some complications anyway because Google
Places API, if you rely on that, doesn't provide access to all the tags you
see in Google Maps, and you'd have to replace some of that with freeform text
search.

But stuff like search results? Auto-tagging items/locations in your photos? I
was very impressed by the stuff Google Photos can do, but those features
obviously rely on some very well-trained neural networks.

If there existed a promising "personal platform" solution, I'd happily support
it by donating and hopefully code contributions, but I'm not aware of anything
much better than Owncloud, which itself isn't dramatically different than
using rsync/duplicity in cron jobs.

------
confounded
Out of interest, have any self-hosters here tried _one big machine_ with lots
of VMs, as opposed to a stack of NUCs/Pis?

The recent Intel scares have got me interested in firmware and Libreboot
again, and a HN commenter[0] pointed me at some extremely beefy (e.g. 16
cores!) AMD motherboard/CPU combos, that it’s possible to run fully-free
firmware on.

Without doing much actual research, Xen on a big box seems like it could be a
good way to have a single physical machine where I ‘deploy’ different services
in VMs.

Anyone gone this route, or can think of any problems with this approach? It
seems like it could be a little easier to manage, but I’m sure there are extra
considerations for networking and security.

[0]:
[https://news.ycombinator.com/threads?id=153791098c](https://news.ycombinator.com/threads?id=153791098c)

~~~
fallenhitokiri
OP here - all of my services run in a VM on the Dell server, including some
other VMs used for work. Works pretty well, but you pay a slightly higher
energy bill.

As long as only a few users (in my case between 1 and 6) use the services
you'd be surprised with how little resources you can get away.

My initial test VM (VMWare) I used had 1 CPU and 1GB memory - it ran Postgres,
miniflux, docker registry, gitea and wallabag without problems. CPU mostly
idle, memory without a lot of load ~350MB. (Alpine as base for docker)

------
ta76567656
The main issue with this approach for me is that Google et. al. clearly have
much better physical security than my apartment. In exchange for in-principle
privacy improvements and possibly forth amendment protection you take on a
huge risk of burglaries, fires, floods, power outages, etc, plus of course the
workload of being your own sysadmin.

Also, if you're paranoid, your data is more exposed. You can turn off all your
devices with disk encryption when they're out of your control (usually) but if
you turn off your NAS while your away from home it's useless. And if it's on,
physical access, and therefore your data, is easy to obtain by the moderately
motivated.

Google is like a feudal lord: they might own you, but they'll protect you from
everyone else weaker than them.

~~~
8fingerlouie
As for physical security, you risk burglaries, fire, floods, etc, but that's
why you have remote backups.

I keep everything except the boot drives on encrypted drives, so that in case
of burglary no data is readable. The boot drives hold no data or passwords,
only enough to start up and allow SSH logins. It's a small chore to login and
manually mount the drives, but IMO worth it.

As for physical access, besides the 40kg German Shepherd Dog roaming my house,
the same rules apply to access as from the outside: 2FA, and limited login
attempts. I do expose more services on the LAN than i do on the internet, but
everything requires authentication.

For personal cloud stuff i use Resilio Sync. It's not dependent on a single
machine being powered on, and i have a couple of machines at different
physical locations (both _mine_, as in hardware and sysadm tasks) "hosting"
the data.

~~~
fallenhitokiri
OP here - basically the same, but with a 60kg SwissyDog which actually is
pretty useless to protect the house :)

I can also power down system when leaving for a longer period and simply WoL
them once connected to the VPN.

------
onefish
Recently I've been playing around with something like this, or really; getting
back to something like this. Years ago I was an idealistic graduate student
who didn't have any "free" (you-are-the-product) digital service or social
media accounts - I used Lavabit (before it got shut down) for email and a
couple of cheap VPS providers to run a little blog and IRC bouncer. I had a
dumb "burner" phone, a RockBox-based MP3 player, ran Tomato on my router, and
ran Debian on most everything else.

I think the main factors that killed it for me, that made me drink the Kool-
Aid so to speak, were a combination of getting an Android phone and the
shutdown of Lavabit (with all the hassle that incurred - notifying dozens of
colleagues, mailing lists, etc of the change). Concurrently with this I had
just gotten my first industry gig at a pretty large networking equipment
company, on a team with mostly older, mellowed, senior engineers for whom
programming was "just a job". I didn't want to seem like a "paranoid weirdo"
who had some black-hat alter ego. I sold out.

Since, I've pretty much moved wholesale to Google. I still don't use any other
digital services - Google has basically become my one-stop shop, for better or
worse. I use Android, Chrome, Gmail, Drive, Music, Books, Search, Maps, Keep,
Photos, basically the whole damn suite. It's a beautifully unified and
seamless experience. I feel in-general, Google gets just about everything
right (I don't use Docs - I still write docs in LaTex, haha). It's quite a 180
from what I had before.

But ultimately, I think this has caused me a lot of cognitive dissonance. I've
spent a lot of time thinking about how to "get back" lately, but this is
tempered by how much control I've already given up and, well, what is frankly
a pretty damn high quality and convenient experience and there are some things
(like Maps, and Photos) which I really don't want to give up. I also don't
hold any delusions that anything I do is going to be "more secure" from any
threat model, really. I guess I just miss all the DIY. The creativity and
control.

Anyways, recently I've been building an ARM64-based "mini-homelab" around an
Archer AC1750 router running OpenWRT, a stack of three Odroid C2 SBCs, and an
Nvidia Jetson TX1 (with a 50K LUT FPGA on the m.2 PCIe slot). I also have an
ARM64 VM in the cloud. Once that's all set up, I've been considering how much
I can "get back" under my control.

~~~
Arn_Thor
I enjoyed google, and used docs and sheets for budgeting and planning. Then
one day it was all gone.

I'd had two google accounts, one created a decade ago on YouTube and later
connected to my gmail-google account. I used the same login for both, and
could switch between them without problem. I had used my Youtube-persona for
most of my google docs work. That was all fine until suddenly I could only
access docs from my other gmail-persona. They had without warning or reason
changed either the account type or the app permissions for my account type.
Not a word of warning, or even a message. There's no reverting it, no one at
Google has been able to undo the change or recover my documents.

NEVER AGAIN will I trust any important information to any cloud company.

That was the day I started to take everything off the cloud and access it
through a NAS at home (with off-site backup of course). I've never slept
better

~~~
onefish
I guess I'd be curious about how you deal with e-mail, since that was my
negative experience with a cloud provider (Lavabit), and I think in-general
e-mail is a much harder (and maybe inadvisable) service to self-host.

I always like to read experiences and opinions of people who lean one way or
the other with regard to all this stuff, or are at least cognizant of it at
all, since it seems 99% of people just use whatever they happen upon first and
solves their problem.

~~~
Arn_Thor
Good question. I'm still stuck with Google for my personal mail, but I use an
email client on my PC to download emails and archive them, and periodically do
a full download of all my Google content. Not the easiest or most fun
solution, but I found that hosting my own email would be a prohibitive amount
of work.

------
teekert
"I think the only thing I would like to have automated but have not yet is
getting photos from our phones on the server, right now they still go through
iCloud."

I use Nextcloud for this, every picture I take is directly synced to my own
basement. I can browse them and share them directly from the ui. Nextcloud
also offers a nice webui for your email and allows syncing of you calendar and
contacts from iPhone or Android. For me it allowed me to switch away from
Google for my phone's back-end.

~~~
fallenhitokiri
OP here - I actually looked into NextCloud but for most file sharing went for
Resilio, so this would be the only use case for NextCloud which seems a bit
thin. The Qnap NAS actually provides functionality like this, but I didn't
have a chance to take a closer look at it. And I assume I still have to
manually open the app once in a while for a sync, which is one step below
where I'd actually want to get to.

~~~
teekert
I don't have to open the app, my pictures sync when I am on my home wifi and
on the charger. But you can also set it to immediately upload after a picture
was taken.

------
vxNsr
This is a great read, but I'd like to hear more about the nitty gritty, what
server hardware you use, it seems like you have 3 pis and then a bunch of
really advanced enterprise-level stuff for other work... I'd love a guide on
what you did to get here. The internet really needs something like that.

~~~
hkajhfjl
I'm not the OP, but I have been doing this for some years now. Here's how I
went about it.

I got out of social media in early 2012. Deleted FB and Twitter. I do maintain
a presence on LinkedIn, but I never post anything there, nor do I login. It's
mostly there because employers expect a LI profile. It's just a bland copy of
my resume.

I moved my email from Gmail to my own domain from 2013-2015. It took almost
two years because I had Gmail since April 2004, a few days after launch. My
whole digital life was tied into Gmail, and moving stuff over takes time. I
still have that Gmail account, but again, I never log into anything Google,
and it simply forwards any email to my real account. I get maybe 1 email a
month from Gmail.

I host my email with Fastmail, but I've also selfhosted, and tried O365. It's
easy to switch, and I keep an offline backup of everything.

Now, my hardware and software setup.

At home, I have a Synology NAS with ~12 TB of usable storage. This is my
primary data store - I have software that automiatically backs up all photos
from my Iphone, Time Machine, Veeam, Rysnc, and email backup.

I own my own physical server (Dell R720XD) which is colocated in a datacenter
in a different country. This server has 96 GB of RAM, 16 TB of storage, and 12
Xeon cores. It usually runs between 12-25 VMs, some of which are production
(personal), hosting my websites, git, various projects, and so on. It's
connected to the internet through a gigabit connection with a 10 TB monthly
bandwidth cap (I never come close to 1 TB!). This costs me ~$85 a month. I
don't do BGP, though I could if I paid some more and put in a proper router
and got my own IP range.. as it stands, the 8 public IPs I get are enough for
me.

The colo server is connected via an always-on, site-to-site IPSEC VPN to my
home LAN (through my EdgeRouter X). I have symmetric gigabit, so it's
practically like having the machine in my house.

My NAS backs up to the colo server, and the colo server to the NAS (via
rsync). The NAS also backs up to a local USB drive, for quick restores.

All my home data lives in four places

1\. The local PC/laptop/phone. 2\. The NAS 3\. The USB Disk 4\. The offsite
colo server.

Likewise, all my colo data lives in the same four places.

I can VPN in to the colo server and get connected to my home lan from anywhere
in the world. Any sensitive data is encrypted - and anything really sensitive
is not stored on a computer.

This setup works very well for me and my family, and I control all my data and
am not dependent on a cloud provider. I also have a bunch of other servers
running in my home, but they aren't part of my core infrastructure.

The cost?

~$1200 for the R720. ~$1000 for the NAS. and ~$85 a month for colocation
costs.

~~~
voltagex_
Few more questions:

* How do you backup Fastmail?

* How'd you find your colo provider?

* If it's in a different country, how does the latency affect you?

~~~
walterbell
Ditto on the colo provider question.

Which virtualization do you use on server and how do you handle remote admin
and security updates for guest VMs and host?

~~~
hkajhfjl
I use HyperV. The server reboots once a month for security updates.

Guests - it depends on the OS the guest is running. I follow standard best
practice for each OS. The server has encrypted drives, and each VM disk is
also encrypted.

Remote Admin - SSH, Remote Desktop, Powershell etc. Standard management
protocols. Since I have the IPSEC VPN always running, I can use anything.

I'm aware that I could be hacked if someone sufficiently skilled wanted to
take me down, but that's true of anything stored online. I've achieved a
reasonable level of security and I have control over my data.

------
sneak
The amount of lost time spent sysadminning and configuring and securing these
things is not a potential risk, it is a real cost.

Getting NSLed or TOSed is a potential risk, not a guarantee. For most people
who are doing nothing controversial or interesting and who are just using the
cloud to receive service notifications and correspondence from friends (who
are also doing nothing controversial or interesting), it isn’t a loss of
control.

This is a real trade-off, and neither is right. But don’t pretend that keeping
a half dozen complex services up, backed up, and secured isn’t a huge time
investment. You can’t get that back.

~~~
hkajhfjl
No, not really. It isn't a huge time investment if you know all this well
(let's say you sysadmin for work).

Of course it is not feasible for most people to do this, just like it's not
feasible for me personally to rebuild my car's engine, or grow vegetables in
my garden. Both of which my neighbor does with great ease.

The point is, I use my skills to make my life better, as everyone does. I
enjoy it, and it has the side effect of keeping my data private. For things
I'm not good at, I either spend time getting good, or I pay a professional for
his time and skills.

My mother uses Google and Apple services to back up her photos and data, and I
wouldn't dream of forcing my approach on her.

My spouse asked me to set all this up for them, since they share my feelings
about data privacy.

------
nickjj
The MVP of this approach would be buying a $60 external USB HD and backing
everything up to that on a daily basis. Works great if you "only" have a few
TB or less of data.

Here's a bash script + the set up I'm running to do that:
[https://nickjanetakis.com/blog/automatic-offline-file-
backup...](https://nickjanetakis.com/blog/automatic-offline-file-backups-with-
bash-and-rsync)

------
rcarmo
I have a similar home setup, but don’t recommend using Pis for disk-intensive
workloads due to SD Card volatility. My HomeKit setup, for instance, is
Dockerized and runs on an ODROID board with EMMC storage, and the build server
for my ARM containers boots from an SD card but has an USB hard drive.

~~~
fallenhitokiri
At this point I would not recommend using PIs for anything long running at
all. I have two v3 and one v2 and all of them crashed at some point, one of
the v3 was idle during that time.

The one PI I still run as build server operates of a write protected SD card
and reboots regularly.

I am not 100% sure why the PIs crashed yet (still have to do the
investigation), but if errors like this already show up in a server rack with
AC attached I'm a bit skeptical.

~~~
8fingerlouie
The usual suspect when i comes to Pi SD Card corruption is a bad power supply.
The Pi will (attempt to) draw more power than it can, resulting in a corrupted
SD card.

I've also run a large part of my internal network on RPis, but have since
moved to Intel NUC machines, where i replaced a bunch of Pis with 2 NUCs.
Storage like you has always been handled on a NAS. Synology in my case.

I don't have need for much computing power, so the NUCs handle that just fine.

See my other comment :
[https://news.ycombinator.com/item?id=17966507](https://news.ycombinator.com/item?id=17966507)

------
NIL8
I'd love to see a YT channel or a website that teaches how to do stuff like
this for the non-tinkerer. I'm thinking along the lines of Primitive
Techknology's channel where he simply shows the process step-by-step.

------
bthornbury
Very cool, would love to see more content on this topic. Setup guides of
individual services, issues you've run into, more on hardware choices, and
definitely more on your smart home setup.

~~~
fallenhitokiri
OP here, thanks! I posted a few more details here[1] and will follow up with
an in depth blog post covering as much as possible rest.

For the smart home setup I am mostly using Elgato Eve SmartPlugs, their door
and window sensors and Homebridge for everything that does not integrate with
HomeKit natively. Any light source I cannot directly plug into a power outlet
(ceiling mounted e.x.) is at least remote controllable via RF, not IR, and I
am currently working on figuring out how to send the control signals through
an PI or Arduino with an RF transceiver.

[1]
[https://news.ycombinator.com/item?id=17966311](https://news.ycombinator.com/item?id=17966311)
[2]
[https://github.com/nfarina/homebridge](https://github.com/nfarina/homebridge)

