Going Selfhosted: Breaking the prison of Surveillance Capitalism

Wait, what is surveillance captialism

  • Coined by Shoshana Zuboff
  • Capitalism: An economic and political system in which a country's trade and industry are controlled by private owners for profit
  • Surveillance Capitalism: When the said system's profit is made by monetizing the data obtained by surveilling the customers

Not really sure how this will effect me

  • Each and everything you do online is tracked by someone
  • Google knows you better than yourself
  • Companies like Google, Facebook, Amazon want to know as much as they can about you. They build a profile on you and want to sell it to the highest bidder
  • Why do you think Google provides so many services for free ?
  • Google Home & Amazon Alexa are the prime examples of surveillance capitalism

Media is also trying to warn you

  • A New York times article about Google sharing customer's location data with Law enforcement (https://www.nytimes.com/interactive/2019/04/13/us/google-location-tracking-police.html)
  • Truecaller allegedly scanned SMS's to build a credit scoring system  (https://inc42.com/buzz/how-truecaller-goes-through-your-smses-to-see-if-you-need-a-loan/)
  • Let's not even get started on what Facebook is upto. Apart from the Cambridge Analytica scandal, they paid teens to install a VPN that spied on them (https://techcrunch.com/2019/01/29/facebook-project-atlas/)
    • An interesting part is that Facebook listed it as an Enterprise app (meant for internal-use by employees) so that it doesn't go through App Store's review process

Ok, I'm a bit worried, but does it actually pose any danger ?

  • China is already doing it (not surveillance capitalism, but more of a mass surveillance program)
  • All public places are covered by CCTVs
  • Footage is scanned real-time for people with criminal records ranging from drug dealers to jaywalkers
  • On their way to introduce a social credit system
  • Facial recognition and cell phone pinging were used in the recent Hong Kong protests to identify the protestors
  • Governments are already making deals, Oregon police and Amazon have teamed up to use facial recognition technology

Umm, but I do not do any illegal things

Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.

- Edward Snowden

When you say, ‘I have nothing to hide,’ you’re saying, ‘I don’t care about this right.’ You’re saying, ‘I don’t have this right, because I’ve got to the point where I have to justify it.’ The way rights work is, the government has to justify its intrusion into your rights

- Daniel J. Solove

Fine, I don't  to live in an Orwellian future. What can I do ?

Go Selfhosted

What all can be selfhosted ?

Git

Analytics

File storage

Calendar

Contacts

Blog

and much more ...

How a self-hosted setup looks
[Demo Time]

How to setup your own ecosystem

Software I used

Ansible

Docker

Traefik

Portainer

Nextcloud
Emby

Gitea

Fathom Analytics

Ansible role example for Portainer

 

- name: Run portainer container
  docker_container:
    name: portainer
    image: portainer/portainer
    restart_policy: always
    labels:
      traefik.frontend.rule: "Host:{{ portainer_domain }}"
      traefik.port: "{{ portainer_port }}"
      traefik.backend: portainer
      traefik.docker.network: "{{ traefik_proxy_network }}"
    networks:
      - name: "{{ traefik_proxy_network }}"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    ports:
      - "{{ portainer_port }}:9980"
    state: started

Ansible role example for Nextcloud

 

- name: Setup nextcloud
  file:
    path: "{{ nextcloud_dir }}"
    state: directory
    mode: 0755

- name: Copy docker-compose
  template:
    src: templates/docker-compose.yml.j2
    dest: "{{ nextcloud_dir }}/docker-compose.yml"

- name: Start nextcloud and mariadb
  shell: "docker-compose up -d"
  args:
    chdir: "{{ nextcloud_dir }}"

Docker-compose for Nextcloud (Database)

 

version: '3.5'

volumes:
  nextcloud:
  db:

services:
  db:
    image: mariadb
    restart: always
    volumes:
      - db:/var/lib/mysql
    environment:
      MYSQL_DATABASE: {{ nextcloud_mysql_database }}
      MYSQL_USER: {{ nextcloud_mysql_user }}
      MYSQL_PASSWORD: {{ nextcloud_mysql_password }}
      MYSQL_ROOT_PASSWORD: {{ nextcloud_mysql_password }}
    labels:
      traefik.enable: false
    networks:
      - nextcloud

Docker-compose for Nextcloud (Server)

 

  app:  
    image: nextcloud
    ports:
      - {{ nextcloud_port }}:80
    depends_on:
      - db
    volumes:
      - nextcloud:/var/www/html
    restart: always
    environment:
      NEXTCLOUD_TRUSTED_DOMAINS: "{{ nextcloud_domain }}"
      NEXTCLOUD_ADMIN_USER: {{ nextcloud_admin_user }}
      NEXTCLOUD_ADMIN_PASSWORD: {{ nextcloud_admin_password }}
      MYSQL_HOST: db
      MYSQL_DATABASE: {{ nextcloud_mysql_database }}
      MYSQL_USER: {{ nextcloud_mysql_user }}
      MYSQL_PASSWORD: {{ nextcloud_mysql_password }}
    labels:
      traefik.frontend.rule: "Host:{{ nextcloud_domain }}"
      traefik.port: 80
      traefik.backend: nextcloud
      traefik.docker.network: "{{ traefik_proxy_network }}"

    networks:
      - {{ traefik_proxy_network }}
      - nextcloud

Docker-compose for Nextcloud (Document Server)

 

  documentserver:
    image: onlyoffice/documentserver
    restart: always
    networks:
      - {{ traefik_proxy_network }}
      - nextcloud
    environment:
      - "TZ=UTC"
    labels:
      - "traefik.enable=true"
      - "traefik.port=80"
      - "traefik.backend=documentserver"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.rule=Host:{{ onlyoffice_domain}}"

networks:
  {{ traefik_proxy_network }}:
    external: true
  nextcloud:
    name: nextcloud

Traefik's Labels

 

  • traefik.enable=true (Enable/Disable the container in Traefik)
  • traefik.port=80 (Registers this port. Useful when the container exposes multiples ports)
  • traefik.backend=documentserver (Name Traefik uses to identify the backend)
  • traefik.docker.network=traefik_proxy (the docker network to use for connections to the container)
  • traefik.frontend.rule=Host:{{ onlyoffice_domain}} (Add host header for domain)

Running containers

 

DNS and Networking configuration

Ansible role example for Traefik

 

- name: Create traefik proxy network
  docker_network:
    name: "{{ traefik_proxy_network }}"

- name: Run docker container
  docker_container:
    name: traefik
    image: traefik
    command:
      - --docker
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "{{ traefik_dir }}/traefik.toml:/traefik.toml"
      - "{{ traefik_dir }}/acme.json:/acme.json"
    networks:
      - name: "{{ traefik_proxy_network }}"
    restart_policy: always
    labels:
      traefik.frontend.rule: "Host:{{ traefik_monitor_domain }}"
      traefik.port: "8080"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    state: started

How traefik helps

 

  • Traefik listens to your service registry/orchestrator API and instantly generates the routes so your microservices are connected to the outside world -- without further intervention from your part.
  • In this case, to use traefik, you just need to add labels to your docker container
  • Provides a UI Dashboard out of box

DNS Config

 

  • We now need a way to access those services from the internet
  • It is advisable to use a domain
  • The host header defined in Traefik should match the subdomain
  • You can use terraform or the cloud provider's API as well
  • I chose terraform because it was the fastest way to get the desired results

DNS Config in DigitalOcean

 

DNS Config using Terraform

 

provider "digitalocean" {
  token = "${var.do_token}"
}

resource "digitalocean_record" "cloud" {
  domain = "${var.domain}"
  type   = "A"
  name   = "cloud"
  value  = "${var.target_ip}"
}

resource "digitalocean_record" "portainer" {
  domain = "${var.domain}"
  type   = "A"
  name   = "portainer"
  value  = "${var.target_ip}"
}

resource "digitalocean_record" "onlyoffice" {
  domain = "${var.domain}"
  type   = "A"
  name   = "onlyoffice"
  value  = "${var.target_ip}"
}

resource "digitalocean_record" "traefik" {
  domain = "${var.domain}"
  type   = "A"
  name   = "traefik"
  value  = "${var.target_ip}"
}

Checklist

  • Have an automated backup and restore mechanism
  • Everything should be as code
  • Destroying and creating a new self-hosted cloud should be a one-step command

Replacing your favourite tools

Cloud Storage (GDrive/Dropbox) Nextcloud/Seafile
Google Analytics Fathom/Matomo
Google Docs Onlyoffice/LibreOffice Online
Evernote, OneNote, GKeep Standard Notes
Media (Movies + Music) Emby
Calendar + Contacts Nextcloud
Google Photos Piwigo/Photoprism

The future of self-hosted apps

Thank You

Going Selfhosted: Breaking the prison of Surveillance Capitalism

By Yash Mehrotra

Going Selfhosted: Breaking the prison of Surveillance Capitalism

  • 129
Loading comments...

More from Yash Mehrotra