Deertopia

A hot up-and-coming home-server for cute deer girls.

Website

Moved to Deertopia's webpage.

Commands I fail to remember

Mount dots w/ SSHFS

sshfs crumb@guix-rebound:src/nixos-testbed-dots -o uid=$(id -u),gid=$(getent group persist | cut -d: -f3),allow_other /persist/dots

Run sops with a given key file

EDITOR=nvim VISUAL=nvim SOPS_AGE_KEY_FILE=/persist/private-keys/age/deertopia nix run nixpkgs#sops -- secrets.yaml

Yt-dlp output template for Jellyfin

  nix run nixpkgs#yt-dlp -- \
      -o 'Bridge Kids - S01E%(playlist_index)s - %(title)s.%(ext)s' \
      '«playlist URL»'

Services

Notes as posts

See: Publishing my Org-roam notes.

Nix binary cache

Public Org-mode notes

See: Publishing my Org-roam notes.

IDEA yt-dlp frontend

Requires VPN.

*arr suite

Requires VPN.

VPN

Mullvad looks good! It's what Faye and some folks on the Doom Emacs Discord server use. Costs about $5/month.

IDEA Dashboard

i have an idea to add a bit of status-reporting code to each of my nixos sydnix.deertopia.* modules, which can all feed into a dashboard or a sydnix status command. }:3 i think that'll wait, though.

bib.deertopia.net

Given a URL such as https://bib.deertopia.net/dijkstra1968goto, give the BibTeX entry from my personal database.

  • bib.deertopia.net/«BibTeX ID»/source will redirect to the external source from which I originally found the item.

  • bib.deertopia.net/«BibTeX ID»/archive will return an archived copy served directly from Deertopia. It would probably be best to password-protect pirated entries. However, I could leave a note on the login page saying something like "Hey, send me an email if you need this! You can probably find this somewhere else, though }:) [links to search pages on libgen, archive.org, ddg search for "book-name pdf", ...]"

Pastebin

See the "pastebins" section of awesome-selfhosted.

Bepasty is currently my favourite option, as it supports videos (in addition to other non-text files), which is something I would've otherwise used separately!

Video sharing (like streamable)

Has some overlap with pastebin software. Particularly, bepasty is a pastebin with support for video.

File storage / synchronisation

See Self-hosted file synchronisation for a comparisons between the many solutions available.

For sharing files with others, a web client like Filestash would be lovely.

Deertopia's requirements

  • NEED: Bidirectional synchronisation.

  • NEED: Compatible with iOS and Beorg. Most likely, this will mean a WebDAV interface.

  • NEED: Automatic synchronisation between devices (Linux, OSX, and iOS).

  • WANT: The ability to avoid unnecessarily duplicating large files à la git-annex.

  • WANT: Resistance to trivial conflicts à la git-annex.

Current plan of action

I currently believe the best action is syncing a directory with git-annex and --content, and serving the same directory over WebDAV.

Jellyfin media server

  • Finamp, a sweet iOS client for steaming music from Jellyfin.

  • Mopidy seems to be allow expose a Jellyfin library as an MPD database?

Gitea instance

Occasionally restart the server

In combination with Impermanence, this will help keep the system sane.

Backup Org-mode notes

KILL Email

I would love self-hosted email, but I don't think my up-timeMy fucking internet went out a minute after writing this sentence TwT. is competitive enough.

An alternative to Gmail, but still not self-hosted, is Fastmail. Relatively cheap, at $5/monthSingle user; extra email addresses for personal/work; 60 Gb storage; masked email (presumably à la DuckDuckGo?). , and I've heard good things.

IDEA Matrix

KILL Documents via Paperless

Tasks

Change dc=identify,dc=deertopia,dc=net to dc=deertopia,dc=net

Mullvad expires

Security

https://www.reddit.com/r/HomeServer/comments/rx2ed9/home_server_security/

Crash course on security for self hosting:

Alright, so here's kinda my "Top 10" of the basic things you can do that will reduce a significant amount of the vulnerabilities you will see. I've got a number of other suggestions but these are some of the most critical.

  1. SSH is not safe to expose by default. Enforce lockout through Fail2Ban and require key authentication.

  2. Any webserver facing the internet should be put behind a proxy using HTTP Basic Auth. While it isn't a particularly secure step, it does make it harder to enumerate for scanners and can be just enough of an extra step to defeat trivial attacks.

  3. Ensure that anything facing the internet are on a separate network and VLAN with only the absolutely necessary services are open to anything else

  4. Enable automatic updates on anything exposed to the internet (honestly in general but internet facing in particular). This will be one of the biggest things you can do to easily remove a great deal of attack surface.

  5. Any user accounts on these systems should have no permissions on any other system. Different passwords, no SSH keys shared, that sort of thing. Follow u/malastare- 's recommendations for shared storage.

  6. Ensure that you have a good AV on each thing facing the internet, Defender for Endpoints (under the name MDATP still for Linux) is pretty competent and free. I say this as someone who has a raging hatred for MSFT products

  7. I don't entirely recommend dockerizing everything since I trust my ability to secure an application far more than some random schmuck on Docker Hub. However, if you don't have the skillset or time to harden them, by all means, sandbox things to hell. YMMV

  8. If your firewall supports it, install and enable Suricata in block mode on that interface, it will take some tuning to not block legitimate traffic but can help cut down on a significant number of threats.

  9. Use HTTPS on everything that support it, Let's Encrypt works pretty well in my experience.

  10. Keep an eye on news for the services you run, particularly for any vulnerabilities and have a solid understanding on what is really running on your network. Excellent example of this is the recent Log4J mess.

Bonus Round:

If you want to go nuts and really harden your systems, go through CIS Level 1 benchmarks for the relevant services (if applicable) and operating systems. Deploying a real EDR (Endpoint Detection and Response) system with logging and alerting through a SIEM (Security Information Event Management) system.

I will note, we're moving far, far from "Securing a home server" and firmly into "Enterprise security lab" but a well tuned EDR, IDS and SIEM will give you a lot of defensive capability. However, this introduces a massive jump in complexity and requisite skillset.

References