cross-posted from: https://compuverse.uk/post/5020
Preamble- I’m new to the fediverse, and I want some help. I’m trying to regain some of my privacy and data sovereignty, and I have recently gotten into self-hosting. I haven’t been on social media for over a decade, except for Reddit, and that was mostly as a passive lurker. I just started getting more active on there this past year, and now they’ve turned me away with their shenanigans. I’m trying to get into federated communications to still have access to useful information while protecting my identity and data.
Goals- I’m thinking that I want to set up my own Lemmy instance, as well as my own xmpp server (like prosody), and switch over to jmp.chat. I also have my own domain.
Concerns- I want to spin up my own services so that I own my data and have greater control over my connections, and possibly have a hub that friends and family can use. However, I also don’t want to expose my domain (Why not? I don’t know. I’m completely new at this and until I learn more, I’m playing it cautious)
Questions- So, if I spin up my own Lemmy instance, doesn’t that expose my domain,since my username will be [email protected]? Is this the same for an xmpp server? One main reason to spin up my own xmpp server is to own my account for xmpp communications. However, can I tie that to my jmp.chat account, or would they need to be separate.
I kind of feel like a boat without an oar at the moment, and I’m not even sure if I’m asking sensical questions, but hopefully there’s enough light in my ramblings to give you all a sense of my goals. Any help would be appreciated.
https://snikket.org/ is a nice and easy way to host your own XMPP server. It’s a preconfigured Prosody server with some additional functionality.
In general you can’t really avoid to publish your domain name as that is kinda the entire point of having a domain name. Security through obscurity also doesn’t work most of the time.
Are you very familiar with xmpp or jmp.chat? Would I gain any benefit in using jmp.chat by having my own xmpp server? With my own xmpp server, I own my account, but I don’t know if I can then connect that in any meaningful way to jmp.
I am quite familiar with XMPP, but since jmp.chat is a north American service and I am from Europe I never actually tried their service. But as far as I know it works with any XMPP account including self-hosted ones.
If I spin up my own instance, won’t that expose my domain, since my username will be @[email protected] ?
Yes (click on my username for example).
What are your reasons for not exposing your domain? And why do you want to set up your own instance?
If you don’t want that, just make an account at another instance. There’s a few big ones to choose from, I think.
(I have no idea if this is true for xmpp too)
If you do setup your own server. Please make sure you automate regular backups and put them somewhere safe. Otherwise you might loose all your stuff.
My main thinking is that I don’t know what I’m doing, and I don’t want to unnecessarily open myself up to threats.
As an example, many people will post their personal information on social media. They think ‘why not? What harm can it do when I talk about my favorite teacher, or the street I grew up on, or my first date? What harm can that do?’ (Not realizing these are common answers to security questions) or ‘Why not talk about my big vacation coming up?’ (Not realizing they’re letting thieves know when their house is going to be vacant) People reveal information about themselves all the time online without a second thought because they can’t personally see the danger. I can’t personally see a problem with using my domain in this way, but I would prefer to check with those more experienced than me before I learn the hard way that I made a bad choice.
I hope that makes sense, and I appreciate any expertise you offer.
Those are very good things to think about; I agree with all of that.
None of the suggestions I made cover what actual information you (or your users) share ont the platforms (lemmy, mastodon etc).
As long as you federate with other servers (I.e. allow content to be shared with other servers, like how my account on my own server can comment on a post from the server you’re using), all the information posted on the platform should be considered 100% public.
If you want a place for just your friends, without talking with other instances, you should keep federation off.
I want to spin up my own services so that I own my data and have greater control over my connections, and possibly have a hub that friends and family can use.
That’s a noble goal; but you’ll have to think about what kind of adversaries you want to protect yourself (and your users) from.
E.g. if you don’t want to link your lemmy account to your government name you of course won’t use your real name, but you’ll also need to anonymize the WHOIS data of the domain, since that’s public information.
Not all domain registrars allow this.And depending on how far you want to take this, you might also want to buy the server anonymously.
All of that doesn’t even touch the security of the actual server, lol. Some pointers for that:
SSH
- use keys for to login, not passwords
- use a different port than 22 (it’s not more secure, but will reduce noise in the logs)
- install fail2ban (temporary blocks ips after a few failed attempts)
- make SSH only reachable from your home IP with a firewall
HTTP/S:
- use a caddy or nginx proxy in front of anything that talks http.
- use letsencrypt certificates (and check renewal is working)
- use proper SSL settings: https://ssl-config.mozilla.org/
VPS hosting:
- setup 2FA for your login
Monitoring: You can get very detailed, but try to cover at least the following:
- uptime (request your lemmy homepage)
- disk usage over 80%
- SSL certificate expiration
Yeah, I have done research on all of that before, but so far, I’ve just stuck with tailscale as a safe way to traffic my data. I’m going to have to do more research on each of these items again and figure them out. Any good resources you know of?
setting up the instance isn’t complicated, particularly with ansible - the ansible install creates several docker containers, separating the database from the UI, etc. You approve all the sign ups so you can control who posts from the instance.
Since Lemmy is a public system, I wouldn’t host it on a server where I had any important or confidential info stored. There is nothing wrong with setting it up as lemmy.yourdomain.com or anything.yourdomain.com - the domain name itself doesn’t really matter - and lemmy isn’t holding state secrets so just keep your own stuff secure - which starts with installing it on a system that isn’t shared with anything else - and make sure the only ports open to the web server are 80 and 443 (80 is needed for letsencrypt to issue a certificate)
If you’re not familiar with docker and hosting a public web site, it may be a little tricky but if you go the ansible route (all of my experience is on Linux - I have no idea about Windows), it’s pretty straightforward and intuitive. If you get stuck, post and somebody will probably be able to help - you can also DM me if you have questions that you don’t want to ask on the forum.
If you want to experiment with the set up, it is possible to install it on your home network as a sandbox, but if your ISP blocks port 80, you won’t be able to use letsenrypt to get a cert - so just comment those lines out of the ansible playbook and generate a self-signed certificate after the install and use that instead. That way you can go through the process of setting up the lemmy instance without putting it on an internet facing-server so you can get comfortable with how it works - the install of my dev system on the home network was pretty straightforward and it can read everything from the fediverse, it just can’t post anything. Lemmy admin is very basic so I encourage you to have a go.
So you’re suggesting that I not set this up on the same VPS I have my nextcloud instance on, then? That makes sense. Would I basically need two completely different VPS services if I wanted to do this? One for my private services, and one for my communication services?
I recommend that you be very cautious when setting up anything that faces the internet - if there’s a vulnerability in the OS or Lemmy app, there’s a good chance it will be exploited and all federated server names are published, so you need to be prepared for that and not be devastated if your data gets stolen, wiped out or encrypted by ransomware. Back everything up regularly. If you have a personal system with any valuable data on it then I would stridently discourage you from installing Lemmy there. Use a very small dedicated server instance and give it a cute name. Lemmy runs fine for a few users on a single CPU with 1 GB of RAM. You will need around 8GB of storage initially - that’s a bare minimum. This stuff might be covered in the install guides but this is from my own experience.
If you’ve never managed a public web server before I’m not sure that starting with Lemmy is ideal for learning, but then again, you won’t learn anything by doing nothing - just be mindful about security of your own data and backing stuff up once you have the instance set up and you should be fine.