2022-03-19

Re: What do you self host?

#software

Following ew0k

gemini://warmedal.se/~bjorn/posts/2022-03-18-re-what-do-you-self-host-.gmi

local copy

responding to JDJs post "What do you self host?"

gemini://jdj.golf/gemlog/what-do-you-self-host.gmi

local copy

Server sounds like a big word for a small single board computer, more specifically a APU2 board by pcengines.ch[a]. This board features 3 ethernet interfaces and therefore is used as a gateway, directing all outbound traffic towards the internet connection (Fritz!Box), while providing a number of services to the home network. Regular backup is done using borgbackup to a different system.

Network Services

Anything needed to make systems on the home network talk to each other or the internet is provided on the internal interface:

• dnsmasq --- dhcp, dns, bootp/tftp, ipv4
• radvd, wide-dhcp6c --- ipv6 autoconfig, announcing a local /60 prefix and gateway
• chronyd --- ntp time server
• firewall, configuration provided via ferm (For Easy Rule Making)
• sshd access, somewhat hardened, public_key access only

Collection of Environmental Data

• collector --- perl script; request environmental data from rs485 bus sensors, feed data to mqtt broker
• mosquitto telegraf influxdb grafana --- collect environmental data into a database and make said data visible on a web browser

Communication

• apt-cacher-ng --- package proxy, download .deb packages once, serve/use often
• bip --- chat zombie/proxy; used rarely
• agate --- gemini capsule
• nginx --- leftovers of a html based blog (static files), practically unused
• nginx/nextcloud --- private files/contacts/calendar etc "cloud", not used much, but occasionally nice to have.
• nginx/cgit --- git repositories at home
• postfix --- mail transfer agent
• fetchmail --- periodically collect emails from external mail boxes
• dovecot --- imap server for my mailboxes

External Access

This system is not known via dyndns.org or similar, neither is the Fritz!Box. So inbound connections are not permitted. But how to make "home" accessible from abroad? Well, first of all, this use case is not important for me, but I thought it would be nice in case of urgency. So I set up a few .onion services via TOR. Publicly accessible is only the .onion service, which serves a copy of my gemini capsule.

• tor --- .onion service for gemini

There is also an "Authenticated Onion Service"[b] in order to connect to the system from the outside. A connection can only be established, if the requester can provide an additional piece of information[c].

• tor --- authenticated .onion service for sshd

Cheers,

~ew

---

[a] pcengines.ch/apu2.htm

[b] Onion Service Authentication

[c] see "CLIENT AUTHORIZATION" in the torrc man page

Home